diff options
| author | rajatsharma94 <rajat.shrma94@gmail.com> | 2015-07-20 19:19:56 +0200 |
|---|---|---|
| committer | rajatsharma94 <rajat.shrma94@gmail.com> | 2015-07-20 19:19:56 +0200 |
| commit | 78e1b70e35b45455728e4126ed1b19d6332ad26b (patch) | |
| tree | 082167986d5cfe0e42d13414c3db0ad603eb8495 /system/helpers/path_helper.php | |
| parent | 08b9f20df1c108be5c1ab8b32c0fcbed31a079b3 (diff) | |
Failed security check
The implemented security check to make sure the path is NOT a URL can easily be bypassed (gives false negative) for all subdomains.
Eg "subdomain.domain.com" should ideally show an error but it does not.
The new security check tries to make a fsockopen connection to validate whether the URL is external or not.
Diffstat (limited to 'system/helpers/path_helper.php')
| -rw-r--r-- | system/helpers/path_helper.php | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php index 34eebc4b0..019e220f3 100644 --- a/system/helpers/path_helper.php +++ b/system/helpers/path_helper.php @@ -61,8 +61,7 @@ if ( ! function_exists('set_realpath')) function set_realpath($path, $check_existance = FALSE) { // Security check to make sure the path is NOT a URL. No remote file inclusion! - // PROBLEM HERE - this can be easily bypassed in case of subdomains - if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})#i', $path)) + if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})#i', $path) || ( function_exists('fsockopen') && @fsockopen($path, 80, $errno, $errstr, 30))) { show_error('The path you submitted must be a local server path, not a URL'); } |