NYCPHP Meetup

NYPHP.org

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Michael B Allen ioplex at gmail.com
Sun Apr 5 23:17:05 EDT 2009


On Sun, Apr 5, 2009 at 9:06 PM, Brian Williams <brianw1975 at gmail.com> wrote:
> phpinfo() pish...
>
>
> $user_input = "`rm -Rf /`"
>
> nuff said.
>
> in case it wasn't - backticks are basically the short cut to get PHP to
> execute something on the command line.

I don't understand how this has any impact on the OP's code. The
backticks would simply be written to the log file. If you are careless
enough to try to execute a log file as a shell script then you might
as well erase your disk.

> always check incoming user data.

Actually I do not validate incoming data. At least not when it is
first received. I assume everything is tainted until it gets to the
point of where it really matters and then I validate it there. If I'm
writing some field to a database, I always escape the data just before
it's inserted so if someone supplies total garbage it doesn't matter.
As long as it's escaped it's completely benign (to the database).

In fact I would go so far as to say that validating data at the
point-of-entry is a coding error. For example, Joomla! validates
usernames before it passes them to authentication plugins. This is an
error because Joomla! does not know what a valid username is in the
context of the external authority. At one point Joomla! would not work
with OpenID or Windows Active Directory because it explicitly excluded
certain characters that were valid for those external authorities. The
proper solution is to allow the authentication plugin to define
username validation and provide a default implementation that can
easily be overridden.

Note that even though validating data when it is first received is not
critical to security, escaping output /is/ critical to security. So
it's ok to receive garbage. Just don't send garbage. This leads me
back to the OP's question of "do I need to validate user input that is
written to a log file?". The answer is no but you do need to escape
(or rather remove, truncate or flatten) anything that you don't want
to end up being read by a program that reads log files like passwords
and excessively long messages that might fill up the disk or prevent
someone from viewing the log.

Mike

> On Sun, Apr 5, 2009 at 8:56 PM, Konstantin Rozinov <krozinov at gmail.com>
> wrote:
>>
>> Hey guys,
>>
>> I have a question about logging messages.
>>
>> Is it safe to log unsanitized, unvalidated user-inputted data into a
>> logfile?
>>
>> For example, if I have a function called check_username(), which
>> checks that the username only consists of A-Za-z0-9, is it safe to
>> have check_username() write to a logfile that it was called on the
>> particaular user-inputted string, like so:
>>
>> Function definition:
>> function check_username($username, &$error)
>> {
>>  .. set $log_file...
>>
>>  /* print out informational message. */
>>  error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file);
>>
>>  ..check the username for correctness..
>> }
>>
>> Function called like so:
>> check_username('$_POST['username'], $error);
>>
>> Output to logfile:
>> check_username(user1): called.
>>
>>
>> Is it possible for an attacker to submit  a specific string as the
>> $username to somehow "escape" out of the error_log() function and have
>> code executed instead (like calling phpinfo())?
>>
>>
>>
>> thanks,
>> Konstantin
>> _______________________________________________
>> New York PHP User Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/show_participation.php
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>



-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the talk mailing list