Posted by Andy Pieters on 06/01/05 23:39

On Wednesday 01 June 2005 22:33, you wrote:
>
> > elseif(count($_POST)>0)
> > foreach($_POST as $key=>$value)
> > if( ($key!=='login') && ($key!=='name') && ($key!=='pass') )
> > $hiddens.=<<<_hid_
> > <input type="hidden" name="$key" value="$value">\n\t
> > _hid_;
>
> But what happened here? Why do you assume POST data is safe?

You're right it isn't. Thanks!

>
> > if( (array_key_exists('savereferer',$_GET)) &&
> > ($_GET['savereferer']=='yes'))
> > {safeReferer($ref,$chksum);
> > $hiddens.=<<<_ref_
> > <input type="hidden" name="referer" value="$ref">\t
> > \t<input type="hidden" name="checksum" value="$chksum">
> > _ref_;
> > }
>
> I don't see where $ref comes from. I am assuming it somehow trickles
> down from HTTP_REFERER? If so, did you clean it?

Here is the function safeReferer
function safeReferer(&$referer,&$checksum,$default=PAGE_PAGESTORE)
{#small piece of code to safely include referers in html code
#+ get referer, save it in the form with a digest code with some noise
#+ on request, verify the by adding the noise to the referer and calculating
the digest code.
#+ if it does not match, use standard page as referer

$referer=htmlspecialchars(urlencode( @ $_SERVER['HTTP_REFERER']));

if($referer=='')
$referer=$default;
$checksum=makeCheckSum($referer);
$req_ref=$req_chk=null;
if( (!(empty($_POST['referer']))) && (!(empty($_POST['checksum']))) )
{$req_ref=$_POST['referer'];
$req_chk=$_POST['checksum'];}
elseif( (!(empty($_GET['referer']))) && (!(empty($_GET['checksum']))) )
{$req_ref=urlencode($_GET['referer']); #parameters passed urlencoded are
automatically decoded by php!
$req_chk=$_GET['checksum'];}
else
makeCheckSum($referer);
if(!(is_null($req_ref)))
{if(makeCheckSum($req_ref)==$req_chk)
{$referer=$req_ref;
$checksum=$req_chk;}
else
{$referer=urlencode($default);
$checksum=makeCheckSum($referer);}
}
return urldecode($referer);
}

function makeCheckSum($input)
{$noise="+++some'(-546%noise#*";
$checksum=sha1(md5("$input$noise"));
return $checksum;
}


Thank you

With kind regards


Andy
--
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
under the GPL2 and that are meant for use with a
php cli binary:

http://www.vlaamse-kern.com/sas/
--

--

• Next in forum: Re: [PHP] what is -- $this variable -> $this other variable -- means?
• Prev in forum: Re: [PHP] Security check
• Thread view: Re: [PHP] Security check

[Reply to this message]