37 lines
1.0 KiB
Plaintext
37 lines
1.0 KiB
Plaintext
User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access.
|
|
|
|
|
|
The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
$filename = $_GET["filename"];
|
|
include $filename . ".php";
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
$filename = $_GET["filename"];
|
|
if (in_array($filename, $whitelist)) {
|
|
include $filename . ".php";
|
|
}
|
|
----
|
|
|
|
include::see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|