'Content-Disposition: at...lashes($filename) . '"' can contain request data and is used in response header context(s) leading to a potential security vulnerability.
1 path for user data to reach this point
Read from $_GET, and $_GET['file'] is escaped by basename() for file context(s), and $filename is assigned
in
download.php on line 15
$filename is escaped by addslashes() for sql, xpath context(s)
in
download.php on line 26
Response Splitting Attacks
Allowing an attacker to set a response header, opens your application to
response splitting attacks; effectively
allowing an attacker to send any response, he would like.
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by
white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data:
UB-Mannheim /
PalMA
Stefan Weil
'Content-Disposition: at...lashes($filename) . '"'can contain request data and is used in response header context(s) leading to a potential security vulnerability.1 path for user data to reach this point
$_GET,and$_GET['file']is escaped by basename() for file context(s), and$filenameis assignedin download.php on line 15
$filenameis escaped by addslashes() for sql, xpath context(s)in download.php on line 26
Response Splitting Attacks
Allowing an attacker to set a response header, opens your application to response splitting attacks; effectively allowing an attacker to send any response, he would like.
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); }For numeric data, we recommend to explicitly cast the data: