Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Load view from url, dangerous ?
Load view from url, dangerous ?
  • El Forum
    Guest
  •  
#1
12-19-2009, 11:11 AM

[eluser]Référencement Google[/eluser]
Hi there,

I was doing something today and was wondering how this would be dangerous, or potentialy dangerous. The thing is a page controller which will load a view passed as second segment of url, the code:
Code:
public function _remap($page = false)
    {
        $this->load->view('pages/'.$page);
    }

Of course I saw that CI does a file_exists() in its view loading, that make it secure, but do you see you security experts a potential problem here?
  • El Forum
    Guest
  •  
#2
12-19-2009, 12:13 PM

[eluser]Kip zonder Kop[/eluser]
I'm no security expert at all but I played with the code. I think the answer is: it depends on what you have in your "pages" directory (in this case). If you have view files there that contain php code that is executed when the view is loaded it now can be executed by manipulating an url (by agents who are aware of this). It might not be a problem but it might as well be a problem. I would say: don't do it.
  • El Forum
    Guest
  •  
#3
12-19-2009, 12:21 PM

[eluser]Référencement Google[/eluser]
That is a good point that you are saying here. I have to think now how I should do to manage hundred of pages and still be sure of the security. Maybe should I add a constant at top of the allowed to look views and check that constant value in the controller. Another possibility I can see here is adding into a config array the list of allowed pages name, then check it with a conditional if in_array(). Any better solution?
  • El Forum
    Guest
  •  
#4
12-19-2009, 01:41 PM

[eluser]Craig A Rodway[/eluser]
[quote author="Too Pixel" date="1261268460"]Another possibility I can see here is adding into a config array the list of allowed pages name, then check it with a conditional if in_array(). Any better solution?[/quote]

That's definitely a better solution.

Other options include running a regular expression check over your $page variable to only allow letters and numbers, and to do a is_file() check on the resulting path. If any of these fail, then either show an error or redirect to the home page.
  • El Forum
    Guest
  •  
#5
12-19-2009, 01:57 PM

[eluser]Référencement Google[/eluser]
So far I have now :
Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Page extends MY_Controller {

    public $allowed_views = array('index', 'about'); // List of allowed pages
    
    /**
     * Page Constructor
     *
     * @access    public
     */
    public function __construct()
    {
        parent::__construct();
    }
    
    // --------------------------------------------------------------------

    /**
     * Remaping all requests
     *
     * @page    string    The page name
     * @access    public
     */
    public function _remap($page = false)
    {                                
        // Let's make sure this page is allowed to view
        if(in_array($page, $this->allowed_views, true))
        {
            $this->load->view('pages/'.$page);
        }
        else
        {
            show_404();
        }
    }
    
}

/* End of file page.php */
/* Location: ./application/controllers/page.php */
  • El Forum
    Guest
  •  
#6
12-20-2009, 10:35 PM

[eluser]BrianDHall[/eluser]
One trick I use is read directory functionality. For an advertising banner solution I hacked out a solution like this:

I make a view folder, such as "ads".

I throw in a little segment in the name of each file, such that the name structure might be 1-ffffff-merchant_ad_or_whatever.php.

When mysite.come/controller/function/1/advertiser_in_question_or_whatever_because_I_use_this_for_SEO_only is called, I load up the names of all files in the directory. I loop through them and pick out the one that has a "1-" at the beginning, break out of the loop and then load that view.


So in your program you could actually just use a, say, viewable token in the name, like _p (for public) at the end. if page "admin_only" is requested, you search the name for "_p" - since admin_only does not contain that token, then it must not be for public view and you handle that accordingly.

The upside is you make the decision when you create the view if it should be dynamically loadable. The downside is it is harder to make something viewable later on, as you have to change the file name and that would of course break existing calls to that view.

It's a thought, anyway.


...hm, come to think of it, it would be a lot easier to just put all viewable files in a "views/public" folder. So if it's dynamically called you pull it out of the public folder. Scrub the requested folder variable to allow only letters, numbers, and underscores, and you are done.

Well, that's a hell of a lot easier, I think
  • El Forum
    Guest
  •  
#7
12-21-2009, 03:33 AM

[eluser]saidai jagan[/eluser]
Thanx Too Pixel. Seems be a good Idea.....
  • El Forum
    Guest
  •  
#8
12-21-2009, 03:40 AM

[eluser]Référencement Google[/eluser]
BrianDHall, your solution seems overkilling for what I wanted to do, my goal was just to have a simple content text page loader.

btw, thanks for explaining, can be useful in some situations.




Theme © iAndrew 2016 - Forum software by © MyBB