$run is not extracted from the URL if it's not hex characters #58

Closed
mike503 opened this Issue Dec 21, 2014 · 4 comments

Projects

None yet

2 participants

@mike503
mike503 commented Dec 21, 2014

I have runs in /tmp that will load if I force a $run = $_GET['run']; in index.php

If I do not FORCE $run, only runs that match [a-f0-9] will be loaded.

So far I cannot figure out why it is not extracting $run from the query string with a limited character set. But this really messes things up when you want to define custom run_ids and they do not conform to a purely [a-f0-9] type naming convention.

@mike503
mike503 commented Dec 21, 2014

in utils/xhprof_lib.php it's due to this. what is the point of this?

if ($k === 'run') {
  $p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}
@mike503
mike503 commented Mar 6, 2015

ping

@epriestley
Contributor

Imagine ?run=../../../../etc/passwd.

@epriestley epriestley closed this Jan 12, 2016
@mike503
mike503 commented Jan 12, 2016

Then there should still be a better way to deal with this. Accept a parameter but append .xhprof to it - always.

I forget now but the path isn't part of it. The directory is already forced in code. Basename() the param - something like that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment