New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

$run is not extracted from the URL if it's not hex characters #58

Closed
mike503 opened this Issue Dec 21, 2014 · 4 comments

Comments

Projects
None yet
2 participants
@mike503

mike503 commented Dec 21, 2014

I have runs in /tmp that will load if I force a $run = $_GET['run']; in index.php

If I do not FORCE $run, only runs that match [a-f0-9] will be loaded.

So far I cannot figure out why it is not extracting $run from the query string with a limited character set. But this really messes things up when you want to define custom run_ids and they do not conform to a purely [a-f0-9] type naming convention.

@mike503

This comment has been minimized.

Show comment
Hide comment
@mike503

mike503 Dec 21, 2014

in utils/xhprof_lib.php it's due to this. what is the point of this?

if ($k === 'run') {
  $p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}

mike503 commented Dec 21, 2014

in utils/xhprof_lib.php it's due to this. what is the point of this?

if ($k === 'run') {
  $p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}
@mike503

This comment has been minimized.

Show comment
Hide comment
@mike503

mike503 commented Mar 6, 2015

ping

@epriestley

This comment has been minimized.

Show comment
Hide comment
@epriestley

epriestley Jan 12, 2016

Member

Imagine ?run=../../../../etc/passwd.

Member

epriestley commented Jan 12, 2016

Imagine ?run=../../../../etc/passwd.

@epriestley epriestley closed this Jan 12, 2016

@mike503

This comment has been minimized.

Show comment
Hide comment
@mike503

mike503 Jan 12, 2016

Then there should still be a better way to deal with this. Accept a parameter but append .xhprof to it - always.

I forget now but the path isn't part of it. The directory is already forced in code. Basename() the param - something like that.

mike503 commented Jan 12, 2016

Then there should still be a better way to deal with this. Accept a parameter but append .xhprof to it - always.

I forget now but the path isn't part of it. The directory is already forced in code. Basename() the param - something like that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment