Details
Docs: Improvement
Major
Description
I've got something like this:
Zend_Controller_Plugin for initialize view:
(...) $view = new Zend_View(); $view->setScriptPath(APP_PATH . '/views/0'); $view->addScriptPath(APP_PATH . '/views/modules/' . $this->_reguest->getModuleName() . '/0'); (...) $helper_view = Zend_Controller_Action_HelperBroker::getExistingHelper('viewRenderer'); $helper_view->setView($view); (...)
Zend_Router like:
http://my_website.com/module/controller/action
LFI:
http://my_website.com/..%2F..%2F..%2F..%2F..%2F..%2Fetc..%2Fpasswd%00
LIF is possible, because scripts should not be loaded in this way:
Zend_View:
/**
* Includes the view script in a scope with only public $this variables.
*
* @param string The view script to execute.
*/
protected function _run()
{
if ($this->_useViewStream && $this->useStreamWrapper()) {
include 'zend.view://' . func_get_arg(0);
} else {
include func_get_arg(0);
}
}
Issue Links
| This issue is related to: | ||||
| ZF-5748 | Zend_View render() allows parent directory notation, opening potential LFI exploit |
|
|
|
I understand the ramifications of the local file include attack, and feel that we should definitely patch Zend_View to disallow using the '..' specification. That said, in most cases you should not be trusting user input in order to determine the view script to render; it should be based on very narrow criteria, and the path should be filtered prior to passing to Zend_View's render() method.