Second set of eyes for sterilizing PHP
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Second set of eyes for sterilizing PHP
I"m allowing a user upload HTML files to a server...nothing more, nothing less.
I don't want them to embed PHP script in the HTML inadvertiently or deliberately so when I upload the file I str_replace the instances of
<? or <% with <
Is this sufficient for preventing the execution of PHP script?
I know there are far better/robust ways of solving the issue, like using a proxy script, disabling PHP execution, etc...but there are reasons I have used this "hack" approach. One being there are already PHP files in the directory he is uploading to, so disabling PHP is not an option.
I just want to sanitize a HTML file and prevent any kind of execution directly from it...will the above suffice?
Cheers,
Alex
I don't want them to embed PHP script in the HTML inadvertiently or deliberately so when I upload the file I str_replace the instances of
<? or <% with <
Is this sufficient for preventing the execution of PHP script?
I know there are far better/robust ways of solving the issue, like using a proxy script, disabling PHP execution, etc...but there are reasons I have used this "hack" approach. One being there are already PHP files in the directory he is uploading to, so disabling PHP is not an option.
I just want to sanitize a HTML file and prevent any kind of execution directly from it...will the above suffice?
Cheers,
Alex
Re: Second set of eyes for sterilizing PHP
1.
Also, str_replace should be used in a loop (remember?). Better show some code.
2. HTML upload = XSS. Make sure you know how that affects you.
3. Uploads should go in another folder with PHP engine disabled.
Code: Select all
<script language="PHP"2. HTML upload = XSS. Make sure you know how that affects you.
3. Uploads should go in another folder with PHP engine disabled.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Second set of eyes for sterilizing PHP
Are these HTML files being uploaded as .php or .html?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Second set of eyes for sterilizing PHP
Code: Select all
<script language="PHP"Can I disable that in the PHP ini?
http://www.php.net/~derick/meeting-note ... dd-php-var
Looks pretty old but I would prefer to just disable everything but the standard PHP open tag...I've done a quick Google but cannot find the setting, if it even exists.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Second set of eyes for sterilizing PHP
There is not setting to disable it as far as I know.PCSpectra wrote:Bah...forgot about that. Good callCode: Select all
<script language="PHP"
Can I disable that in the PHP ini?
http://www.php.net/~derick/meeting-note ... dd-php-var
Looks pretty old but I would prefer to just disable everything but the standard PHP open tag...I've done a quick Google but cannot find the setting, if it even exists.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Second set of eyes for sterilizing PHP
I have searched high and dry and couldn't find squat but discovered a much better solution to circumvent any possible security issues.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Re: Second set of eyes for sterilizing PHP
Two questions:
1. What file extensions are you allowing users to upload the files as?
2. Why is the PHP interpreter running on HTML files?
1. What file extensions are you allowing users to upload the files as?
2. Why is the PHP interpreter running on HTML files?
Re: Second set of eyes for sterilizing PHP
My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
Code: Select all
php_flag engine off- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Second set of eyes for sterilizing PHP
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?Code: Select all
php_flag engine off
Again, are the files .html or .php, have you set PHP to parse .html files too?
Re: Second set of eyes for sterilizing PHP
Oh, my mistake, missed that one. But I can't think of an reason that you MUST have the ability to parse php in a directory where you upload data, why not simply build around the problem and disable php for that single directory? It might be a pain in the arse to do but it seems in my eyes the best way to do things.kaisellgren wrote:The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?Code: Select all
php_flag engine off
Again, are the files .html or .php, have you set PHP to parse .html files too?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Second set of eyes for sterilizing PHP
Yea I agree. I have no idea why he needs those .php files to be in that same directory.j4IzbInao wrote:Oh, my mistake, missed that one. But I can't think of an reason that you MUST have the ability to parse php in a directory where you upload data, why not simply build around the problem and disable php for that single directory? It might be a pain in the arse to do but it seems in my eyes the best way to do things.kaisellgren wrote:The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?Code: Select all
php_flag engine off
Again, are the files .html or .php, have you set PHP to parse .html files too?