PHP NOTES 41 NOTE 33586 ADDED TO FUNCTION OB GET CONTENTS

PHP NOTES 41 NOTE 33586 ADDED TO FUNCTION OB GET CONTENTS

Date: 1 Jul 2003 13:13:43 -0000

Subject: note 33586 added to function.ob-get-contents

From: sybren@no-spam

if(!substr_count($__script, '.php') && isset($_GET['nostringreply']))
die("can only request return of resource from a php script");

This is NOT GOOD! It allows for script to read from "exploit.php.sh" for instance. IIRC it's also possible to include a remote file by using http or ftp, so checking on ".php" in the script name is no security at all.

----
Manual Page -- http://www.php.net/manual/en/function.ob-get-contents.php Edit Note -- http://master.php.net/manage/user-notes.php?action=edit+33586
Delete Note -- http://master.php.net/manage/user-notes.php?action=delete+33586&report=yes
Reject Note -- http://master.php.net/manage/user-notes.php?action=reject+33586&report=yes

Date: 1 Jul 2003 13:31:59 -0000

Subject: note 33586 deleted from function.ob-get-contents by didou

From: didou@no-spam

Note Submitter: sybren@no-spam
----

if(!substr_count($__script, '.php') && isset($_GET['nostringreply']))
die("can only request return of resource from a php script");

This is NOT GOOD! It allows for script to read from "exploit.php.sh" for instance. IIRC it's also possible to include a remote file by using http or ftp, so checking on ".php" in the script name is no security at all.