[CentOS] case insensitive file system

Wed Apr 30 15:27:18 UTC 2008
Kai Schaetzl <maillists at conactive.com>

Ruslan Sivak wrote on Wed, 30 Apr 2008 10:29:25 -0400:

> And inside index.php it does something like
> <? include($_GET['page'].".php") ?>
> This is a gross simplification, but it's my understanding that if the 
> file was named 'foo.php' and someone typed in
> http://www.domain.com/index.php?action=Foo

did you mean page=Foo ?

I hope that was really just an example. If you take that input unchecked 
and include other files with it your security is non-existant.

> It would still work on windows, but not on linux because of case 
> sensitivity.

Simple: downcase all variable input that you need for further processing.

If it's not external input, but your application simply does not 
differentiate between cases and sometimes includes "Somepage.php" and 
sometimes" somepage.php" that is really bad programming and it's also 
easily solved by a find/replace. Nothing big.


Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com