server.php is kinda insecure

[GoogleCodeExporter]

Hi guys, you might want to do some basic checks/cleaning on your POST vars
in the server.php file. As it stands right now, an attacker could write an
arbitrary payload to any path that the php/server process has write access
to. This is somewhat mitigated by the limited file extensions, I guess, but
it still seems like a pretty bad idea. Here's a really basic cleaning
function that could be run on the package_name and package_version fields:

function clean( $input, $max_length=255 ) {
    $input = trim($input) ;
    $input = substr($input, 0, $max_length) ;
    $input = preg_replace("/[^a-zA-Z0-9_-]/", "_", $input) ;
    return $input ;
}

More could be done, and it might be smart to protect the stacktrace field
as well, but it's a starting point. Modified file attached.

Original issue reported on code.google.com by lav...@gmail.com on 17 Jan 2010 at 7:23

Attachments:

• server.php

[GoogleCodeExporter]

Adding hard-coded package name would also be good thing if it is only for you.

Original comment by someb...@gmail.com on 23 Feb 2011 at 2:47

[GoogleCodeExporter]

Has Anybody the same effort as me to build up a server backend to store and 
manage the Stacktrace in a DB and make them available in a nice little website?

Original comment by andi.sch...@gmail.com on 30 Jan 2013 at 9:53