"0aa0a000aaaaaaaa" error

[rzlatic]

hello to everyone on the forum. googled around for particular bug but honestly didn't find anything regarding weird behavior that i'm getting.

variables and files are changed but rough code goes like this:

 

$lang = $_GET['lang'];
$file = 'includes/blah/' . $lang . '-blah.php';
include $file;

 

now, the script itself works ok - i have, for example, "en-blah.php" and "de-blah.php" files which are included correctly as needed, but i have constantly growing error_log with lines like:

 

[20-Sep-2012 12:55:42] PHP Warning:  include(includes/blah/ena0aa0a000aaaaaaaa-blah.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /home/unitas/public_html/index.php on line 50

 

on my XAMPP localhost i don't get the error_log but only on live (linux) webserver. php versions are 5.3 and 5.2.

i've tried with different arrangements of code, like excluding $variable at all:

 

$lang = $_GET['lang'];
include ('includes/blah/' . $lang . '-blah.php');

 

or:

 

include ('includes/blah/' . $_GET['lang'] . '-blah.php');

 

tried trimimg and rtrimming the "a" and "0" characters on variables $lang and/or $file,

tried with inserting the "-" character on $lang variable like:

 

$lang = $_GET['lang'] . '-';

 

...but getting the "a's and zeros" warning all the time (the string varies but always caharcter a and a few or one zeros - like in upper line of code, or "0aaaa000a0aaaaaaaaaa", or "0aa0a000aaaaaaaa" etc etc). what i'm doing wrong?

 

thanks

[Christian F.]

*Clicks on "index.php?lang=../../../etc/passwd\x00" and reads your password file.*

 

In other words: Validate input, and make sure you only accepts characters that signifies a legit language file. What you've done above means anyone could include any file on your web host's server, and have them either executed or spat out as plain text in their browser.

You'll also want to check if the file exists before trying to include it, and show an error/warning message if not. Then fall back to a default language, so that it doesn't break your site completely.

 

As for your error there's clearly something adding to the URL, as to exactly where I don't know as you yourself don't know (and thus haven't posted this information). What you need to do is to dump the contents of the $_GET array, and check it against the URL as displayed in the browser. Doing that, as well as the above, should help you figure out and correct this error.

[rzlatic]

thanks christian.

the variable is enclosed in "if (isset..." code, contents $_GET array is always just like it should be ("de", "en" etc, dumped it a number of times at first tries to debug) and the files itself are included without problem - no breaks whatsoever - except the error_log file which stacks warnings always about particular line where variable marging is done - line 50 in currrently given example above - ('includes/blah/' . $lang . '-blah.php').

 

how could i validate more?

 

...and thanks once more

[ManiacDan]

contents $_GET array is always just like it should be ("de", "en" etc, dumped it a number of times at first tries to debug) and the files itself are included without problem

You're not understanding what we're saying:  Your code is horribly insecure and someone has noticed.  Go to a page on your site with &lang=en in the URL.  Change it to &lang=aaaa0000aaaa0a0aa.  You will see this same error.  You do absolutely no checking to see if the file that your system is trying to load is actually one it should be loading.  Someone is trying to break into your system.  Stop them.  Validate the inputs in the code (validating inputs does not mean dumping debug information to the screen)

[rzlatic]

thanks.

ok, seems i got rid of error_log warnings (there's now no error_log file in root since this quick code upgrade)

 

$file='includes/blah/' . $lang . '-blah.php';
if (file_exists($file)){include $file;}
else {include 'includes/blah/defaultblah.php';}

 

should that validate enough which file is including?

[Christian F.]

No, you're just validating that the file exists now. You're still not ensuring that it is actually a file you want the user to include. I refer to my above comment in red.

 

Only allow characters you know should be used to identify the language, and from what I can see from your examples this is a 2-letter string comprised of the letters a-z. Nothing more, nothing less. Ensure that only strings matching this pattern will be accepted, and you've secured your code.

You might want to read up on Regular Expressions for this, however. It's a very complex subject, which can be hard to get into at first. As such I recommend that you use this code for now, until you've learned more for yourself:

if (!preg_match ('/^[a-z]{2}\\z/', $_GET['lang'])) {
    // Failed validation of language string. Default to English and add warning message.
    $lang = "en";
    $langErrMessage = "Declared language not a legal language identifier.";
} else {
    $lang = $_GET['lang'];
}

Replace your $lang = $_GET['lang'] line with that, and you should be good.

 

I also recommend reading more in the PHP manual about preg_match (), after you've gone through the intro for RegExps.

[rzlatic]

now that's a guideline for further reading and trying to debug thanks chris.

[Christian F.]

You're welcome, and good luck.