Forbidding access to a directory.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Use local paths. If you do http, it'll attempt to access it over the network, and Apache will say "DENY!"
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

I changed my code to this:

Code: Select all

header("Content-type: video/x-flv");
		
$stream = fopen("/home/content/html/chart-room/videos/".$_GET['filename'], "r");
		
echo fgets($stream);
It still doesn't appear to work. Am I outputting the file right?

How would you do it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Unless the file is small, a single fgets() won't be enough to finish the file...
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

feyd wrote:Unless the file is small, a single fgets() won't be enough to finish the file...
What would then?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

a loop with fgets inside. Or fread (since you're reading binary file).
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Code: Select all

header("Content-type: video/x-flv");
		
$stream = fopen("/home/content/html/".$_GET['filename'], "rb");

fpassthru($stream);
This seems to work. Although is this a good way to do it? I think it might be making the video player act funky.

EDIT: Apparently there's many way's to output a file. file(), fread(), file_get_contents(), etc. But which is best? Which would make my php file act exactly like the video file that it outputs?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

There are different methods because they do different things. Try them.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Be careful. What if someone passes "../../../ect/passwd"?
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Ambush Commander wrote:Be careful. What if someone passes "../../../ect/passwd"?
What would they pass?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

JellyFish wrote:
Ambush Commander wrote:Be careful. What if someone passes "../../../ect/passwd"?
What would they pass?
The real question is: Why wouldn't they? Some programmers make stupid mistakes. Some hackers exploit stupid mistakes. ;)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

superdezign wrote:
JellyFish wrote:
Ambush Commander wrote:Be careful. What if someone passes "../../../ect/passwd"?
What would they pass?
The real question is: Why wouldn't they? Some programmers make stupid mistakes. Some hackers exploit stupid mistakes. ;)
My question wasn't "why would they pass that" my question is what is it that they would pass, "../../../ect/passwd" isn't really clear to me. Give me more of an example of what your saying by saying "../../../ect/passwd". :)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

?filename=../../../ect/passwd
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Jcart wrote:?filename=../../../ect/passwd
What would that do?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It's a contrived example, because usually PHP scripts do not have root rights, but what it would essentially do is output the contents of the Unix password file; consequently the data could be used to crack the shell passwords, etc.

In general, not checking that $filename == basename($filename) means that a user can break out of the directory and read an arbitrary file on your server.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Ambush Commander wrote:It's a contrived example, because usually PHP scripts do not have root rights, but what it would essentially do is output the contents of the Unix password file; consequently the data could be used to crack the shell passwords, etc.
What are root rights, and what is the Unix password file? What is "Cracking the shell passwords"?
Ambush Commander wrote: In general, not checking that $filename == basename($filename) means that a user can break out of the directory and read an arbitrary file on your server.
Break out of which directory, what's an arbitrary file on my server?

I'm being specific on which things I don't know, I have a lot to learn (of which I like learning). :)
Post Reply