myClass.php
public function clearCache() {
// validate input and determine the appropriate cache folder;
...
helper::removeFolder($folder);
}
helper.php
static function removeFolder($folder) {
...
}
The first method does all the input validation to ensure we're not removing the wrong folder.
I would like to protect the second method from php object injection and unauthorised use.
Right now I'm checking the calling class names using this How to get the name of the calling class (in PHP)
I am especially concerned with attackers exploiting such method to wipe sensitive data or the whole website. Is this overkill or is there a better approach?
Any ideas? Of course I am only concerned with remote attacks, if the attacker could place a file on my server and execute it, then they could wipe the disk themselves.
I am using Joomla, if the framework provides with such features please mention it.
If you want to prevent others from easily accessing a sensitive class function, first option is to just make the method private so it can only be called internal to your class, where you can control how it is called. That's more helpful for your own benefit in controlling how the function is used than as a security measure; if someone can run their own PHP script which calls your class, the site is already compromised.
If you have a removeFolder() call that is being used to clear Joomla cache, first suggestion is that Joomla has internal cache management functions, see JFactory::getCache("component") and $cache->clean(), which are better suited to managing a Joomla cached object. If you manage you own storage, you could sanitize the function so it will only work relative to the root of your cache if you want to make it safer - probably the biggest beneficiary would be protection from your own incorrect use of the call.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments