Attribute value that begins with @ character attempts to load a file via guzzle

UserScape / php-customerio

PHP API Integration with Customer.io

MIT License

33 stars 16 forks source link

Attribute value that begins with @ character attempts to load a file via guzzle #16

Closed tdondich closed 8 years ago

tdondich commented 8 years ago

If an attribute value begins with a '@' character, guzzle will interpret this as a request to load a file, per http://guzzle3.readthedocs.org/http-client/request.html .

It doesn't appear that you are sanitizing the input, and this can lead to the ability to read any files on the filesystem that PHP has access to.

tdondich commented 8 years ago

The fix is relatively easy. In your Request.php file in customer(), you have:

    public function customer($id, $email, $attributes)
    {
        $body = array_merge(array('email' => $email), $attributes);

Modify to add a new line:

    public function customer($id, $email, $attributes)
    {
        $body = array_merge(array('email' => $email), $attributes);
        $body = html_build_query($body);

This will instruct guzzle to interpret the attributes as a body string and not attempt to do any parsing of the values.

tdondich commented 8 years ago

I've created a pull request at https://github.com/UserScape/php-customerio/pull/17 which rectifies this as well as other locations.