Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Code injection vulnerability by echo-ing $_POST vars?

I wonder if I have a code injection vulnerability below, in the fwrite ?

foreach($_POST as $key=>$val) {
    fwrite($fh, "\nPOST variable named " . $key . " has the value " . $val);
}

Should I sanitize the values somehow prior to writing them in the log file ?

UPDATE. fh is a log file handler

like image 562
Andrei Avatar asked Jul 13 '12 08:07

Andrei


1 Answers

There is no vulnerability as long as the logfile is treated by its consumers as plain text (which it should always be).

If you decide to output the unprocessed contents of the logfile as part of some HTML, then it would be a real vulnerability (probably of not very severe practical impact, but still). But the issue would be with the "other" code that displays text inside HTML without calling htmlspecialchars, not with this code here that simply writes the log.

like image 52
Jon Avatar answered Sep 28 '22 04:09

Jon