$run is not extracted from the URL if it's not hex characters #58

mike503 · 2014-12-21T18:29:36Z

I have runs in /tmp that will load if I force a $run = $_GET['run']; in index.php

If I do not FORCE $run, only runs that match [a-f0-9] will be loaded.

So far I cannot figure out why it is not extracting $run from the query string with a limited character set. But this really messes things up when you want to define custom run_ids and they do not conform to a purely [a-f0-9] type naming convention.

mike503 · 2014-12-21T18:45:31Z

in utils/xhprof_lib.php it's due to this. what is the point of this?

if ($k === 'run') {
  $p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}

mike503 · 2015-03-06T10:37:05Z

ping

epriestley · 2016-01-12T12:50:08Z

Imagine ?run=../../../../etc/passwd.

mike503 · 2016-01-12T16:46:31Z

Then there should still be a better way to deal with this. Accept a parameter but append .xhprof to it - always.

I forget now but the path isn't part of it. The directory is already forced in code. Basename() the param - something like that.

epriestley closed this as completed Jan 12, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

$run is not extracted from the URL if it's not hex characters #58

$run is not extracted from the URL if it's not hex characters #58

mike503 commented Dec 21, 2014

mike503 commented Dec 21, 2014

mike503 commented Mar 6, 2015

epriestley commented Jan 12, 2016

mike503 commented Jan 12, 2016

$run is not extracted from the URL if it's not hex characters #58

$run is not extracted from the URL if it's not hex characters #58

Comments

mike503 commented Dec 21, 2014

mike503 commented Dec 21, 2014

mike503 commented Mar 6, 2015

epriestley commented Jan 12, 2016

mike503 commented Jan 12, 2016