Re: php - inject code into $_SERVER ?

I would not assume anything

Use a regexp like that to validate the REMOTE_ADDR and you will be fine
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

--Benoit Lefebvre
 mox@mox.ca
 www.mox.ca

Christophe Vandeplas wrote:

> Hello
>
> I am coding a kind of weblogin system that adapts the firewall of a
> gateway for logged users so that they can access another network.
> The weblogin system is written in php4 on a apache2 webserver running on a 
> debian system.
>
> to adapt the firewall I made a simple script, let's call it
> firewallAuth. This script needs 1 argument, the ip that needs to be
> added in the firewall.
>
> Now the only way to do this in php is to use the 'exec()' function.
> The ip of the user is stored in $_SERVER['REMOTE_ADDR'].
> To get root rights (I need them to adapt my firewall) i use sudo. (the
> php user can only run the firewallAuth command with sudo)
>
> So I just do this in php code:
> exec("sudo /home/firewall/firewallAuth ".$_SERVER['REMOTE_ADDR']);
>
> My question is now: is there any (known) way for a user to inject arbitrary code
> into this _SERVER global? (and thus execute this code on the server with root 
> permissions)
> or am I not-to-unsafe to use it?
>
> Should I perform some more checks on the $_SERVER['REMOTE_ADDR'] before using 
> it as argument?
>
>
> Thanks for the comments.
>
>
>