Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

$run is not extracted from the URL if it's not hex characters #58

Closed
mike503 opened this issue Dec 21, 2014 · 4 comments
Closed

$run is not extracted from the URL if it's not hex characters #58

mike503 opened this issue Dec 21, 2014 · 4 comments

Comments

@mike503
Copy link

@mike503 mike503 commented Dec 21, 2014

I have runs in /tmp that will load if I force a $run = $_GET['run']; in index.php

If I do not FORCE $run, only runs that match [a-f0-9] will be loaded.

So far I cannot figure out why it is not extracting $run from the query string with a limited character set. But this really messes things up when you want to define custom run_ids and they do not conform to a purely [a-f0-9] type naming convention.

@mike503
Copy link
Author

@mike503 mike503 commented Dec 21, 2014

in utils/xhprof_lib.php it's due to this. what is the point of this?

if ($k === 'run') {
  $p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}
@mike503
Copy link
Author

@mike503 mike503 commented Mar 6, 2015

ping

@epriestley
Copy link
Member

@epriestley epriestley commented Jan 12, 2016

Imagine ?run=../../../../etc/passwd.

@epriestley epriestley closed this Jan 12, 2016
@mike503
Copy link
Author

@mike503 mike503 commented Jan 12, 2016

Then there should still be a better way to deal with this. Accept a parameter but append .xhprof to it - always.

I forget now but the path isn't part of it. The directory is already forced in code. Basename() the param - something like that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.