Second set of eyes for sterilizing PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Second set of eyes for sterilizing PHP

Post by alex.barylski »

I"m allowing a user upload HTML files to a server...nothing more, nothing less.

I don't want them to embed PHP script in the HTML inadvertiently or deliberately so when I upload the file I str_replace the instances of

<? or <% with <

Is this sufficient for preventing the execution of PHP script?

I know there are far better/robust ways of solving the issue, like using a proxy script, disabling PHP execution, etc...but there are reasons I have used this "hack" approach. One being there are already PHP files in the directory he is uploading to, so disabling PHP is not an option.

I just want to sanitize a HTML file and prevent any kind of execution directly from it...will the above suffice?

Cheers,
Alex
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Second set of eyes for sterilizing PHP

Post by Mordred »

1.

Code: Select all

<script language="PHP"
Also, str_replace should be used in a loop (remember?). Better show some code.

2. HTML upload = XSS. Make sure you know how that affects you.

3. Uploads should go in another folder with PHP engine disabled.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Second set of eyes for sterilizing PHP

Post by kaisellgren »

Are these HTML files being uploaded as .php or .html?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Second set of eyes for sterilizing PHP

Post by alex.barylski »

Code: Select all

<script language="PHP"
Bah...forgot about that. Good call :)

Can I disable that in the PHP ini?

http://www.php.net/~derick/meeting-note ... dd-php-var

Looks pretty old but I would prefer to just disable everything but the standard PHP open tag...I've done a quick Google but cannot find the setting, if it even exists.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Second set of eyes for sterilizing PHP

Post by kaisellgren »

PCSpectra wrote:

Code: Select all

<script language="PHP"
Bah...forgot about that. Good call :)

Can I disable that in the PHP ini?

http://www.php.net/~derick/meeting-note ... dd-php-var

Looks pretty old but I would prefer to just disable everything but the standard PHP open tag...I've done a quick Google but cannot find the setting, if it even exists.
There is not setting to disable it as far as I know.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Second set of eyes for sterilizing PHP

Post by alex.barylski »

I have searched high and dry and couldn't find squat but discovered a much better solution to circumvent any possible security issues.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Re: Second set of eyes for sterilizing PHP

Post by Ambush Commander »

Two questions:

1. What file extensions are you allowing users to upload the files as?

2. Why is the PHP interpreter running on HTML files?
j4IzbInao
Forum Newbie
Posts: 9
Joined: Tue Oct 14, 2008 6:07 am

Re: Second set of eyes for sterilizing PHP

Post by j4IzbInao »

My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Second set of eyes for sterilizing PHP

Post by kaisellgren »

j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.

Again, are the files .html or .php, have you set PHP to parse .html files too?
j4IzbInao
Forum Newbie
Posts: 9
Joined: Tue Oct 14, 2008 6:07 am

Re: Second set of eyes for sterilizing PHP

Post by j4IzbInao »

kaisellgren wrote:
j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.

Again, are the files .html or .php, have you set PHP to parse .html files too?
Oh, my mistake, missed that one. But I can't think of an reason that you MUST have the ability to parse php in a directory where you upload data, why not simply build around the problem and disable php for that single directory? It might be a pain in the arse to do but it seems in my eyes the best way to do things.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Second set of eyes for sterilizing PHP

Post by kaisellgren »

j4IzbInao wrote:
kaisellgren wrote:
j4IzbInao wrote:My take on the whole part of sterilizing uploaded files, have the following in an htaccess-file in the upload-directory:

Code: Select all

php_flag engine off
If you do not intend to include content via require/include that the users upload shouldn't be able to parse, right?
The OP said he has PHP files in the same directory so disabling the PHP engine is no answer.

Again, are the files .html or .php, have you set PHP to parse .html files too?
Oh, my mistake, missed that one. But I can't think of an reason that you MUST have the ability to parse php in a directory where you upload data, why not simply build around the problem and disable php for that single directory? It might be a pain in the arse to do but it seems in my eyes the best way to do things.
Yea I agree. I have no idea why he needs those .php files to be in that same directory.
Post Reply