Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:11543 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70686 invoked by uid 1010); 24 Jul 2004 15:54:22 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 70661 invoked from network); 24 Jul 2004 15:54:22 -0000 Received: from unknown (HELO e-matters.de) (217.69.76.213) by pb1.pair.com with SMTP; 24 Jul 2004 15:54:22 -0000 Received: (qmail 17189 invoked by uid 0); 24 Jul 2004 15:52:25 -0000 Received: from p54875a39.dip.t-dialin.net (HELO ?192.168.1.77?) (84.135.90.57) by /var/run/qmail-smtp.pid with SMTP; 24 Jul 2004 15:52:25 -0000 Message-ID: <4102862B.9000107@php.net> Date: Sat, 24 Jul 2004 17:54:19 +0200 User-Agent: Mozilla Thunderbird 0.7.2 (Windows/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Christian Schneider , internals@lists.php.net References: <5.1.0.14.2.20040724003444.034ea690@127.0.0.1> <41027EA5.2000007@php.net> <4102834F.9080707@cschneid.com> In-Reply-To: <4102834F.9080707@cschneid.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Everyone on the road? From: sesser@php.net (Stefan Esser) Christian Schneider wrote: >> example: include "./foo/bar/index.php/../../../../../../etc/passwd"; > This is a completely legal unix path as .. in / is / again. And from a > security point of view I'd say the only thing you gain by disallowing > this is that the number of .. in the path have to be guessed (pretty > easily) by the attacker. This is no legal unix path, because index.php is a file and not a directory. And to understand the security impact: include "./foo/bar/template_".$userinput; By setting $userinput to "validtemplate.php/../../../../etc/passwd" you get to the /etc/passwd file, altough the path is completely illegal. Stefan