[extension release] Domain.PunBB (Page 1 of 2)

Do not use this code on a live site. Just in a quick glance at it I can see it opens a site up to the execution of arbitrary PHP files.

Also, just as a general compatibility note, do not use PHP short tags (<?).

And if you're not sure how to use the CSRF prevention system, take a look at how PunBB uses it.

lexazloy: Please don't be rude, I do know what I'm talking about.
Prefixing the path with PUN_ROOT just means you need a relative path to the file, it doesn't mean that you're secure. I can put ../../../etc/passwd in there and, assuming I have a layout like /home/smartys/example.com/index.php, the script would obediently load the content of /etc/passwd. Or a malicious script that I uploaded, embedded within an avatar: that would be something like images/avatars/5573.png

Ok. Update my first post.

Sorry i dont understand what you say. My english very bad.

Need sleep. Two stupid error per day.

Fix now.

Well, no, the problem is that I could really put an arbitrary number of subdirectories in there and try to use it (eg: admin/index.php, extensions/sample_extension/some_file.php, extensions/sample_extension/some_other_file.html, etc). I don't think there's a clean solution to the problem, really, other than defining some allowed extensions (eg: .php, .htm, .html) and only allowing loading if the file ends in those as well (of course, you probably also need to check for null bytes),

Well, I would write it as

if (strpos($_GET['file'], '..') === false && is_file($file = PUN_ROOT.$_GET['file']) && in_array(strrchr($_GET['file'], '.'), array('.php', '.html', '.htm', '.tpl', '.txt', '.xml'))
    include $file;
else
    include PUN_ROOT.'index.php';

and also make sure there's no null byte (I can't remember if it could be abused in this case, but I'm relatively sure it could). It still wouldn't be extremely secure, since if I can upload any of those file types I can execute arbitrary PHP on the server.
A better solution might be to see if mod_rewrite can rewrite the requests to the correct folder and append a variable to the query string like "subdomain=test.example.com" which you could then use in a lookup.

I was thinking more along the lines of redoing the extension so it goes something like this:

I own example.com. I want to run two sites, 1.example.com and 2.example.com.
I have one set of files somewhere (not in either folder). I then put a .htaccess in the folder for each site that redirects the request to the real PunBB folder and appends the subdomain= part to the query string.
In the folder for the extension, I have a configs folder. I check if the basename of the subdomain passed exists, and if it does I use that config file. You could have your extension read in its own files in the admin panel to allow editing them/creating new ones.

Does that make sense?

I wasn't thinking about having admin/options.php save to a different location, but you're right, that probably would be easiest.
And your folder would be no different than PunBB's cache folder. It doesn't have to be 777, PHP just needs permission to write there.

And I like your code, other than the fact that you're again taking arbitrary input from the user ($_GET['domain']) and using it in an include, which is a security flaw.

Thank you.
With $_GET['domain'] just example.

Ok. Tomorrow i make first version. And now go sleep. Thank you for help!