[cvs] commit: horde/services prefs.php
Chuck Hagenbuch
chuck at horde.org
Mon Apr 7 18:18:07 UTC 2008
Quoting Michael M Slusarz <slusarz at horde.org>:
> 1st - how is including/requiring a config file this way any different
> than what we do on every page load? If something is visible (i.e.
> outside of PHP code) in config.php, it's going to be viewable on every
> page load.
Right, but I'm being paranoid. Allowing the user to decide, in the
URL, which more or less arbitrary PHP file to include, is a half step
that might combine with something else, or a sloppy admin leaving
something around with a PHP extension (or anything that lets someone
write a .php file, whether in Horde or not), to open a hole. It can
allow execution of code that Horde would never execute itself.
> 2nd - explanation: In DIMP, it is easy to parse this URL and do a
> request entirely within a PHP session:
> http://example.com/services/prefs.php?group=foo&app=bar
>
> But how do you process this URL?
> http://example.com/services/portal/rpcsum.php
Why not do prefs.php?app=horde&group=rpcsum and have prefs.php itself
do the redirect to rpcsum.php, since it's there in the 'url' setting
of the $prefGroup array?
-chuck
--
"I have concerns that we are not behaving like a mature, responsible,
collection of interdependent organisms." - Rick O.
More information about the cvs
mailing list