Belt (and suspenders?) protection?
Posted: Tue Aug 29, 2006 6:33 pmNow that the patches have been stabilzed for a few days, I decided to go back in and fix remove my even more brutal absolute path hack. Okay, the fact that the absolute path was breaking things also had some influence.
I noticed two interesting things.
1. $phpbb_root_path is used two different ways. One way is for machine local access where an absolute directory path on the server will work. The second is a relative path in a URL. 15+ years of writing code says this is a great recipe for disaster.
2. Many files still don't contain the simple
block.
Before I go off and stick that code in all of the files, particularly in include, is there something I might break?
Are any of the other files vulnerable?
Did I just tell everyone how to do the next hack?
- John
2.
I noticed two interesting things.
1. $phpbb_root_path is used two different ways. One way is for machine local access where an absolute directory path on the server will work. The second is a relative path in a URL. 15+ years of writing code says this is a great recipe for disaster.
2. Many files still don't contain the simple
- Code: Select all
if ( !defined('IN_PHPBB') ){ die('Hacking attempt');}
block.
Before I go off and stick that code in all of the files, particularly in include, is there something I might break?
Are any of the other files vulnerable?
Did I just tell everyone how to do the next hack?
- John
2.
