[thelist] style switcher in php?

Lachlan Cannon luminosity at members.evolt.org
Sat Oct 26 20:36:01 CDT 2002


David U. wrote:
> Lachlan Cannon wrote:
>
>>Geoff Sheridan wrote:
>>
>>>[1]The insecure way:
>>><link href="<?=$user_value?>" type="text/css">
>>>where you expect $user_value to be "fluffy.css" but may be
>>>"../../../passwd.ht"
>>
>>I don't see how this is any different, apart from requiring one more
>>level of .. than the other, and as long as the ? works like I'd think
>>it would,
>
>
> The ? is part of the PHP closing tag.

No, the ? in the user submitted value. The user submits
"../../password.pw?"thus making the file request read
"/style/../../password.pw?.css".


>>but then I realised it'd be a pointless hack anyway, since
>>the user's browser would try querying the webserver for the file, and
>>the web server would deny it.
>
>
> Maybe, maybe not.

It would, because the link tag would be pointing below the allowed
publicly accessible file. It'd print out <link rel="stylesheet"
href="http://mysite.com/style/../../password.pw?.css"> which any
webserver worth running wouldn't allow, otherwise there'd be no need for
the link tag, you could just type that address straight into your browser.

>>Now if the $user_value was being
>>included, that'd be different.
>
>
> I think you're either a bit confused or unclear because you've completely
> confused me in that statement. :-)

If instead of printing otu a href value in a link tag, he was using
include('/something/'.$user_value.'.css'); you'd want some more
strenuous checking. Any clearer?
--
Lach
__________________________________________
Web: http://illuminosity.net/
E-mail: lach @ illuminosity.net
MSN: luminosity @ members.evolt.org
__________________________________________





More information about the thelist mailing list