Zend_Loader::_securityCheck...

5 messages

Zend_Loader::_securityCheck...

Reply Threaded

Hi Dev's

Can someone explain to me what _securityCheck in Zend_Loader does, why and to what advantage.

I feel like I missing the point on this one.

Thanks,
/James

Mauricio Cuenca-4

Re: Zend_Loader::_securityCheck...

Reply Threaded

This method, as it name says, checks for invalid characters in the file being loaded.

Characters like ?%&#() can not be present in a file name, otherwise an exception will be thrown. The advantage is pretty clear in terms of security.

--
________________________
Mauricio Cuenca

On Fri, Nov 21, 2008 at 12:48 PM, James Dempster <[hidden email]> wrote:

Hi Dev's

Can someone explain to me what _securityCheck in Zend_Loader does, why and to what advantage.

I feel like I missing the point on this one.

Thanks,
/James

weierophinney

Re: Zend_Loader::_securityCheck...

Reply Threaded

In reply to this post by James Dempster

-- James Dempster <[hidden email]> wrote
(on Friday, 21 November 2008, 11:48 AM +0000):
> Can someone explain to me what _securityCheck in Zend_Loader does, why and to
> what advantage.
>
> I feel like I missing the point on this one.

As the docblock for the method clearly indicates, it is to "ensure that
filename does not contain exploits." If you look at the regexp, it's
making sure that the filename specified does not contain characters that
could potentially lead to an exploit. (There have been a number of
attack vectors provided in the past against include/require with
malformed filenames.)

--
Matthew Weier O'Phinney
Software Architect | [hidden email]
Zend Framework | http://framework.zend.com/

James Dempster

Re: Zend_Loader::_securityCheck...

Reply Threaded

On Fri, Nov 21, 2008 at 12:42 PM, Matthew Weier O'Phinney <[hidden email]> wrote:

-- James Dempster <[hidden email]> wrote
(on Friday, 21 November 2008, 11:48 AM +0000):

> Can someone explain to me what _securityCheck in Zend_Loader does, why and to
> what advantage.
>
> I feel like I missing the point on this one.

As the docblock for the method clearly indicates, it is to "ensure that
filename does not contain exploits." If you look at the regexp, it's
making sure that the filename specified does not contain characters that
could potentially lead to an exploit. (There have been a number of
attack vectors provided in the past against include/require with
malformed filenames.)

It did seem pretty obvious but can't think of any exploits that could be done via an include on a filename. Do you have any examples?

/James

weierophinney

Re: Zend_Loader::_securityCheck...

Reply Threaded

-- James Dempster <[hidden email]> wrote
(on Saturday, 22 November 2008, 12:26 AM +0000):

> On Fri, Nov 21, 2008 at 12:42 PM, Matthew Weier O'Phinney <[hidden email]>
> wrote:
>
> -- James Dempster <[hidden email]> wrote
> (on Friday, 21 November 2008, 11:48 AM +0000):
> > Can someone explain to me what _securityCheck in Zend_Loader does, why
> and to
> > what advantage.
> >
> > I feel like I missing the point on this one.
>
> As the docblock for the method clearly indicates, it is to "ensure that
> filename does not contain exploits." If you look at the regexp, it's
> making sure that the filename specified does not contain characters that
> could potentially lead to an exploit. (There have been a number of
> attack vectors provided in the past against include/require with
> malformed filenames.)
>
>
> It did seem pretty obvious but can't think of any exploits that could be done
> via an include on a filename. Do you have any examples?

Sure, here's one such page:

http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html

(You'll notice that that page also recommends the same security check we
utilize.)

Google for "php include exploit", and you'll start to see what the
possibilities are.

--
Matthew Weier O'Phinney
Software Architect | [hidden email]
Zend Framework | http://framework.zend.com/