|
Posted by Rory Browne on 10/11/05 01:12
I'm not completely sure, but I think they're talking shite. If curl is
a security problem, then disable curl. They seem from what you've
said, to be pretty irrational. I respect security paranoia, but this
is ridicules.
You could try replacing every letter in the word curl with it's &#xxx;
equivlent, but that might not work. You would also have to do it in
JS, although I think that any browser with the exception on lynx has
JS capabilities.
On 10/10/05, Charles Stuart <lists@enure.net> wrote:
> Hi,
>
> I'm on shared hosting. Because of security concerns on their part
> [1], every time the text "curl u" is inputted, a 403 forbidden is
> given and the form is not submitted. This is of course a problem as
> I'm doing work for a children's literacy program, and plenty of
> people try to input "curl up with a book".
>
> I'm trying to use 'str_replace' to solve this issue, but I can't seem
> to get around the 403 error.
>
> It appears as if the hosting service doesn't give me a chance to
> replace "curl u" with something else prior to them blocking the
> attempted submit.
>
> I can tell my str_replace is working as if I change the searched text
> to something other than "curl u" it does in fact replace it and
> submit it correctly.
>
> Anyone have any ideas for a workaround? My next thought is to use
> javascript, but I think the site serves quite a few people who might
> not have javascript on.
>
> Thanks for listening. Below is the PHP [2].
>
>
> best,
>
> Charles
>
>
> [2]
> // Grabbing the data from the form.
>
> if ($task == "updateInfo")
> {
> $activityChallenges = cs_remove_curl_up(sanitize_paranoid_string
> ($_POST["activityChallenges"]));
> }
>
>
>
> // change "curl u" to "EDIT kurl u"
>
> function cs_remove_curl_up($string, $min='', $max='')
> {
> $string = str_replace("curl u", "EDIT kurl u", $string);
> $len = strlen($string);
> if((($min != '') && ($len < $min)) || (($max != '') && ($len >
> $max)))
> return FALSE;
> return $string;
> }
>
>
>
> [1]
> My host told me this:
>
> "Mod_security is restricting this and blocks all url's with C-url.
> This is done because of some php worms that are spread using c-url. I
> would recommend trying to work around this. It will be a major
> security issue for us to allow this."
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
[Back to original message]
|