[SOLVED] security risks of users uploaded css files?

[dj-kenpo]

is there any risk of hacks via allowing a simple css file to be uploaded to a site? (please read full question)

 

it'll be run AS css, and not php, HOWEVER, when the file is opened (fopen), and then the string value placed into an edit form, can (not sure the limits of php, hence my question..) the string that's been read from the file execute any php or echo any values? once the contents of file.css are turned into $file_CSS is it JUST $file_CSS, or can it run anything?

 

again, as a .css it's safe (or I beelive so) but when it's a string value floating on the page, can it execute anything IF some wrote say "$User_ID" "$security", etc in the middle of the file?

 

really the question is, can code be executed from within a string variable?

 

Thanks.

[dustinnoe]

I've never heard of anyone doing that but I'm not sure if it can be done.  Your best bet would be to read the css file line by line against some sort of regex to make sure it conforms to css rules.  There are a limited number of characters allowed in css so I think the task would be rather easy and would beef up your security.

[per1os]

As long as you do not use www.php.net/exec you should be fine. Or "include" it. Reading it should be fine as it takes it as a string and not literal.

[trq]

really the question is, can code be executed from within a string variable?

 

Only if you run it through eval.

[448191]

again, as a .css it's safe (or I beelive so)

 

At some point you'll attach it to an XHTML page I presume, in which case it is not safe, opens up opportunities for XSS attacks. Disallowing any HTTP links in the uploaded CSS files would fix that I guess.

[dj-kenpo]

thanks guys!

it's just transitional for now, but yes, in a year or so I want to make the full switch to xhtml, so the xss attacks, which I'm in the dark on will become a problem. thank you for the early alert so i can plan for it.

 

no exec and eval, got it. I'm good then!