User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include
statements based on data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload
files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive
information or gain full system access.
The mitigation strategy should be based on whitelisting of allowed values or casting to safe types.
Noncompliant Code Example
$filename = $_GET["filename"];
include $filename . ".php";
Compliant Solution
$filename = $_GET["filename"];
if (in_array($filename, $whitelist)) {
include $filename . ".php";
}
See
