Reputation: 462
Security Issues with HTTP_RAW_POST_DATA
I'm currently taking HTTP_RAW_POST_DATA and saving it to an image file. Are there any exploitable security issues that I need to be aware of?
Upvotes: 1
Views: 221
Answers (2)
Reputation: 490453
Yes, if my POST body looks like...
<?php
rmdir(__DIR__ . '/../');
...and I can access the file via a URL (only if your image extension is set to run PHP, not likely but possible), or you run it (accidentally include it, for example), you will be in trouble.
If you wanted to be safe, store the file above the document root and use an image processing library such as GD to write the image from string and save that output. If it's a malicious file, you should only end up with a garbage outputted image.
Upvotes: 1
Reputation: 43178
The security implications are the same as with any other file upload mechanism. You might have semantic implications, as the POST body might not be raw data, e.g. if it is quoted-printable encoded or compressed.
Upvotes: 2
Related Questions
- Get raw post data
- How read HTTP raw POST data in PHP
- HTTP_RAW_POST_DATA empty - alternate solution
- PHP: http raw POST data contain BINARY
- Undefined variable: HTTP_RAW_POST_DATA
- Sending post request with sensitive data in php
- Why is $HTTP_RAW_POST_DATA being called?
- Can't read raw POST body data - how to do this in this example?
- php + http_post_data
- Can user send HTTP_RAW_POST_DATA to my site?