Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I wanted to allow visitors of a page to click on an image to download that image, but a simple link only redirected their browser rather than displaying the download dialog, so I came up with this script:
That Wikipedia page says, "It is worth noting that although this is not a PHP specific problem, the PHP interpreter contains protection against this attack since version 4.4.2 and 5.1.2 [1]."
That makes it sound like I'm automagically protected...or do I still have to sanitize the string?
>and, even worse, allows the attacker to read arbitrary files from your server.
>Also it can be used to turn your script into a web proxy.
What if I check that the file starts with "./tmp" (the folder the files should be stored in) and contains only a single '.' character?
"From now on, all new PHP versions will no longer support multiple headers in the header() call and therefore all vulnerable applications will only be exploitable on hosts with old PHP versions." (php-security.org)
"This function [header()] now prevents more than one header to be sent at once as a protection against header injection attacks." (php.net)
Just so I get this straight, is there anything to worry about if an attacker can't send multiple headers by inserting a CRLF? (That is, if I'm running the latest version of PHP or remove them manually)
- The code for verifying where the file exists is flawed... Use the realpath function to determine where the file *really* lives...
- The filename in the header should not contain the path..
I think I must be incredibly dense, but I don't see the problem. Right now I'm testing on a windows box, so that's not a possibility, but anyways it shouldn't pass validation using my code since /etc/motd\x00 doesn't start with './tmp'...