John Davidson

Message:

Take this example code:

$data = $_POST["data"];

$file = $_POST["file"];

$filename = $file. ".txt";          # <-- can this .txt be escaped? maybe not in PHP, but even by the file system

$file = fopen($filename, "a");

fwrite($file, $data);

fclose($file);

Nothing here is being sanitized and the user has full permission over the filename but not the extension. The a flag in fopen will look to create a file or write to the end of a file only.

If we switched this around and made it so the $file was specified with the extension, the user has full control to I/O on the server.

$filename = $file;                # /.ssh/id_rsa

...

fwrite($data);                    # New RSA key

So by specifying the extension this prevents much malicious things in this case right? Nothing is really stored as a .txt format worth altering.

Is there a method of escaping this? Here, no sanitization occurs giving users the ability to put room 101 into here: what are the attack vectors? Can they escape my .txt force?

I understand they could create the malicious code here then potentially use a separate vulnerability to inject it directly from the file. I want to understand more about concatenation and the security vector behind it.

FYI: This is not best-practice and would never be in production. I just want conceptual understanding of what possibilities really lie here.

I've been testing it locally and trying to use the PHP Strings documentation to escape it within my user input. Ideally, I'm testing if I can create a PHP file on the server.

This was heavily inspired by the understanding of how user input can escape SQL queries using a comment like --.

---

My Answer:
'user_input'];$escaped_data = addslashes($data);echo $escaped_data;