[OWASP_PHPSEC] Update ?

Abbas Naderi abiusx at owasp.org
Sun Jun 23 06:59:26 UTC 2013


Ok
I found a few points.
1. First, instead of getParameter and its behavior, add something that overwrites and wraps $_SERVER using an ArrayInterface. The functionality is good but the way its implemented is dull.
2. We need methods to retrive every part of the URL, as well as some mixed parts that are more common. A URL can be:
scheme://username:[email protected]:port/path?query_string#fragment_id
Now we have at least 8 parts in such URL by looking at it, but if we look deeper we have 9.
The PATH segment can actually be divided into two parts, the path that points to our application and the path that is inside our application:

example.com/my/application/folder/categories/perfumes

We also need mixed retrival of those two parts.

3. We need methods that directly manipulate the URL. We do not want the user to do that via string functions and end up having security holes. For example we would need a method that converts a HTTP URL to a HTTPS equivalent (needed when redirecting to secure login area). I don't want these convertor methods to be inside the library directly, but a wise scheme should be advised.

4. DRY is not properly used here. You have 
if (php_sapi_name() === "cli")
				return '127.0.0.1';
Everywhere. Put it in a private function, and call that instead. 

5. Consider IPv6, in most cases the local address that is directly returned by the environment and PHP is ::1 which is equivalent of 127.0.0.1 in IPv6. Not all IPs are returned as IPv4.

6. Some methods that return the interface (IP) that the request is being served on could be useful. We can use that to detect where the application is being run from without being prone to HTTP Host Alteration.

Thanks
-Abbas

On Tir 2, 1392, at 11:12 AM, Abhishek Das <das.abhshk at gmail.com> wrote:

> phpsec/libs/http/Http.class.php
> 
> 
> On Sun, Jun 23, 2013 at 12:07 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> Well I was on vacation as well. Please point to the file  here.
> -A
> 
> On Tir 2, 1392, at 11:06 AM, Abhishek Das <das.abhshk at gmail.com> wrote:
> 
>> Hi,
>> 
>> I did that already. Almost 2 weeks back.
>> 
>> Thanks
>> 
>> 
>> On Sun, Jun 23, 2013 at 12:01 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Hi Abhishek,
>> Commit and I'll review.
>> -A
>> On Tir 2, 1392, at 1:11 AM, Abhishek Das <das.abhshk at gmail.com> wrote:
>> 
>>> Hi Rahul,
>>> 
>>> I realize it's been a while since I pushed any code. I was on vacation. I will get back to coding regularly now.
>>> 
>>> I did implement a significant part of the HTTP Request Handling Library. It would be great if Abbas or Johanna could have a look at the code and guide me as to what other functions I should write as part of this library.
>>> 
>>> Thanks
>>> Abhishek
>>> 
>>> 
>>> On Sat, Jun 22, 2013 at 12:15 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> Guys, Please update your latest reports. Its been a while since you submitted any code. Last I remember, Abhishek was doing "HTTP Request Handling Library" and Chetan was also doing some library.
>>> 
>>> If you do not wish to continue with those libraries and wish to take up new library, then please inform me so that I can work on them.
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>> 
>>> 
>>> 
>>> -- 
>>> Abhishek Das
>>> IIT Roorkee
>>> _______________________________________________
>>> OWASP_PHP_Security_Project mailing list
>>> OWASP_PHP_Security_Project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Abhishek Das
>> IIT Roorkee
> 
> 
> 
> 
> -- 
> Abhishek Das
> IIT Roorkee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130623/5630bfc5/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list