Access to private files

[vvo]

With CSS-JS-Booster calls it is possible to access webroot and non webroot files like /etc/passwd or any php file that contains passwords and such.

In my fork i double check the file extension and file mime type (though javascript and css files doesn't have specific mime types...)

But i think the best would be to have configuration files (in json format) that stores the file groups, passing the files group to uri is very dangerous as said by zoompf http://zoompf.com/blog/2009/12/the-challenge-of-dynamically-generating-static-content.

And he's right because in default version of css js booster we can access the whole filesystem !

[Schepp]

I saw your file check already (albeit it throwed an error here as not everybody has finfo available ;)

It is true that you can do a path traversal on the one hand, but it is also true that Booster did already do a filename-check to ensure to include only .css and .js files. Also file names were filtered before being processed. So you can't do that much damage in my opinion. If I am wrong you must show me how! :D

[vvo]

It was very easy, i typed this in my url bar :
http://domain.net/CSS-JS-Booster/booster/booster_css.php?dir=../../hello.php,../../static/css/yui,../../static/css/library,../../static/css/template&cachedir=booster_cache&css_hosted_minifier=1&totalparts=1&part=1&nocache=0

and there i had the php file (do not remember if id did it with css.php or js.php)

just watched the code very fast, doesn't the check only occurs when dealing with directories ?

[Schepp]

Nope, it should always do the check from what I know.
I was very aware of the potential risk of not checking twice what files are being requested, that's why I had have the check everywhere. See for example here in line 468 ff.:

http://github.com/Schepp/CSS-JS-Booster/blob/master/booster/booster_inc.php

[Schepp]

Okay, sorry, I think you may be right for the check being ommited on single files. I also just did a quick scan of my code. Will dig deeper and then include the check there too if it is really missing. Shouldn't be missing.

[vvo]

Getfiles is only called when css.php is called with dir=actual/dir and not dir=actualfile.php

right ?

ps: i double checked and the == $type is only called in getfiles wich is only called on directories

good luck

[Schepp]

You are completely right. But you also already put in place is_css and is_js, so they will now do a good job then. BTW: I will push an improved Booster this week, with a lot of changes (also including your improvements), so don't develop too much at the moment as merging may get difficult then :)

[vvo]

ARGH ! i hope the merge will not be too difficult ... you couldn't get my changes then move them / modify them and repush ?

if you do all your changes by hand outside github it's a lot more difficult but i'll handle it .. :)

[Schepp]

I have most of your changes here (I did a pull two days ago).
But I still need an hour or two of work on the library before pushing it to the public. Don't want to have something broken online.

[vvo]

No Problem, also i just saw i had double new finfo on is_css and is_js on my branch

good work ! see you

[Schepp]

Thanks! Good work from you, too!
I drop you an info as soon as I do the push.

[Schepp]

Fixed