Check if requested is nullbyte or hexbyte

Question

Check if requested is nullbyte or hexbyte

Closed this issue 8 years ago · 7 comments

Hi,

https://github.com/PouyaDarabi/Dynamic/blob/Develop/core/lib/security.php#L102&#L118
what happen here? when user call this func if user use username null byte or hex byte for username he/she get "not found error" for example : http://example.ir/%00

https://github.com/PouyaDarabi/Dynamic/blob/Develop/core/lib/security.php#L162&L164

    private static function TypeString($str) {
        return is_string(CleanUrlChar($str));
    }

Answer 1 · 2016-08-11T10:31:21.000Z

Hi,

I think null byte not working in PHP 5.3 or newer version functions
Can you be more specific about how it can be real a issue?

https://github.com/PouyaDarabi/Dynamic/blob/Develop/core/lib/security.php#L162&L164

private static function TypeString($str) {
return is_string(CleanUrlChar($str));
}

And why we should remove bad URL chars in TypeString, which is used for any string validation?

Thanks

Answer 2 · 2016-08-11T10:47:11.000Z

Hi,

for example this is a username field for my site example : http://examplesite.com/ <username> from html , with request POST

$username = '%00'; get field from POST request for username  
$Method = 'p';
CheckInput($username, $Method, $Type ='')
checked for save in to DB, return True,

with selectone username in url (http://examplesite.com/%00)

from apache response error not found ,

Thanks,

Answer 3 · 2016-08-11T17:04:20.000Z

Hi,

CheckInput isn't a URI validator, this function just check the passed variable and data type!

If you want to pass something to URL, first you should make sure your validators cover character like this!(it's more than a single null byte #,/,,etc... )

I think this question will help you to solve this problem: LINK

And specifically for username, you should create a validator to follow your own policy before inserting in DB!

Sample username validator in PHP:

   public static function isValidUserName ($username)
    {
        $aValid = array('_','.');
        if (! ctype_alnum(str_replace($aValid, '', $username)) || strlen($username) < 4 || strlen($username) > 20) {
            return false;
        }
        return true;
    }

Answer 4 · 2016-08-11T17:20:55.000Z

I know , how to Handle this , I think you should check,

Also this is not url validator this is a control char ,
Ok , no problem,

Answer 5 · 2016-08-11T17:45:48.000Z

There is many options for Handel like this issue,you should create function for this issues

Answer 6 · 2016-08-11T21:51:36.000Z

Hi,

I checked that function you mentioned in the issue and there wasn't any problem in that.
That's why the issue marked as invalid

I hope you understand why we can't truncate something from user inputs in the system core!

Thanks

Answer 7 · 2016-08-12T12:18:48.000Z

Hi,

so, you need utility.php or etc on Dynamic for truncate scenarios until normal programmer use it,

Thanks,