Jump to content

Archived

This topic is now archived and is closed to further replies.

BrockleyJohn

Cleaning a passed filename?

Recommended Posts

Perhaps I'm being paranoid, but it bears thinking about.

The context is an ajax handler, called from several admin pages and running in the admin directory so hopefully password-protected, and beginning with an inclusion of application_top. With the current file structures it seemed sensible to load the language file of the page sending the request, but it didn't seem a good idea to open up the script to including an arbitrary file. I think this will restrict it to opening a file from the language directory, but can it be improved?

if (isset($_POST['pagename']) && file_exists(DIR_WS_LANGUAGES . $language . '/' . basename($_POST['pagename']))) {
    include(DIR_WS_LANGUAGES . $language . '/' . basename($_POST['pagename']));
}

It matters since the code is intended for public release.

 


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE).

here: https://github.com/gburton/Responsive-osCommerce/releases

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Always clean the input values before using them. Something like this:

$pagename = filter_input ( INPUT_POST, $_POST['pagename'], FILTER_SANITIZE_URL );

And then use $pagename in place of the POST variable everywhere in your code.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Thanks Jim, that's a function I don't remember using; I see it's been around since php 5.2 but I guess I've still been in the dark ages.

 

It doesn't appear in the osc codebase, even in versions that require 5.3+.


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE).

here: https://github.com/gburton/Responsive-osCommerce/releases

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

It's not in osC but probably should be. In any case, it's a good way to clean variables and has many options to get specific to the type of variable.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Yes, I agree, that's why I raised the question.

 

For others' reference, it turns out the proper syntax is

  $pagename = filter_input ( INPUT_POST, 'pagename', FILTER_SANITIZE_URL );


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE).

here: https://github.com/gburton/Responsive-osCommerce/releases

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

×