From 9eca6f32cbae9184b741acb16fb1dec1301cbbb7 Mon Sep 17 00:00:00 2001 From: Mikhail Fedosov Date: Fri, 10 May 2024 17:26:33 +0300 Subject: [PATCH] file include vulnerabily a better teaching example --- vulnerabilities/fi/source/impossible.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/vulnerabilities/fi/source/impossible.php b/vulnerabilities/fi/source/impossible.php index 2d62dd5a5..d15637abd 100644 --- a/vulnerabilities/fi/source/impossible.php +++ b/vulnerabilities/fi/source/impossible.php @@ -4,10 +4,17 @@ $file = $_GET[ 'page' ]; // Only allow include.php or file{1..3}.php -if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) { - // This isn't the page we want! - echo "ERROR: File not found!"; - exit; +$configFileNames = [ + 'include.php', + 'file1.php', + 'file2.php', + 'file3.php', +]; + +if( !in_array($file, $configFileNames) ) { + // This isn't the page we want! + echo "ERROR: File not found!"; + exit; } ?>