[nycphp-talk] Input whitelist validation warning
Cliff Hirsch
cliff at pinestream.com
Fri May 18 16:32:06 EDT 2007
On 5/18/07 4:19 PM, "csnyder" <chsnyder at gmail.com> wrote:
> On 5/17/07, Cliff Hirsch <cliff at pinestream.com> wrote: > > I just discovered
> a hole in a white list validation technique I bored from > a PHP security book
> ‹ no, not Chris' book. > > Beware in_array($_POST/GET['input'],
> $whitelist) > > Type matters. All input is string type and PHP will try to
> force type > matching. > > So the input string 'securityhole' will match the
> int number 0. > Hmmm, but it might as well be our book, because I don't
> immediately see the problem... $whitelist = array( 'foo', 'bar', 'baz' ); if
> ( !in_array( $_POST['input'], $whitelist ) ) { exit( "Denied, you cad!"
> ); } What is the condition under which that is exploited? -- Chris Snyder
http://chxo.com/
REFUND!!! The book goes back!
Here¹s the condition that caught me:
$whitelist = (0,1);
in_array($_POST[Œinput¹], $whitelist);
Since the values in the whitelist are ints, not strings, in_array attempts
type conversion. In this example, any string that converts to 0 will match.
At this point, since I had a match, I pass the bad input into the depths of
the code....
I should have used: $whitelist = (Œ0¹, ¹1¹);
For input validation, any value in the whitelist should be a string. As a
quick safety bandaid, I changed my code to only return values from the
whitelist, not the source input.
Cliff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070518/c7e63126/attachment.html>
More information about the talk
mailing list