NYCPHP Meetup

NYPHP.org

[nycphp-talk] Input whitelist validation warning

Cliff Hirsch cliff at pinestream.com
Fri May 18 16:32:06 EDT 2007


On 5/18/07 4:19 PM, "csnyder" <chsnyder at gmail.com> wrote:

> On 5/17/07, Cliff Hirsch <cliff at pinestream.com> wrote: > >  I just discovered
> a hole in a white list validation technique I bored from > a PHP security book
> ‹ no, not Chris' book. > >  Beware in_array($_POST/GET['input'],
> $whitelist) > >  Type matters. All input is string type and PHP will try to
> force type > matching. > >  So the input string 'securityhole' will match the
> int number 0. > Hmmm, but it might as well be our book, because I don't
> immediately see the problem... $whitelist = array( 'foo', 'bar', 'baz' ); if
> ( !in_array( $_POST['input'], $whitelist ) ) {  exit( "Denied, you cad!"
> ); } What is the condition under which that is exploited? -- Chris Snyder
http://chxo.com/ 
REFUND!!! The book goes back!

Here¹s the condition that caught me:

$whitelist = (0,1);

in_array($_POST[Œinput¹], $whitelist);

Since the values in the whitelist are ints, not strings, in_array attempts
type conversion. In this example, any string that converts to 0 will match.
At this point, since I had a match, I pass the bad input into the depths of
the code....

I should have used: $whitelist = (Œ0¹, ¹1¹);

For input validation, any value in the whitelist should be a string. As a
quick safety bandaid, I changed my code to only return values from the
whitelist, not the source input.

Cliff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070518/c7e63126/attachment.html>


More information about the talk mailing list