understanding buffer overflow

j-marvin <cu******@service.boy> wrote:

i went through the process of how a buffer overflow would work in my
mind. i noticed you can limit the size of post data and its limit
value is displayed on the phpinfo page 8mb. so my question is will
the post ever be so big that it causes the abyss webserver to have a
buffer overflow?
No program is free from errors, so there is a chance there are
exploitable bufferoverflows in the php/abyss combo. I'm no expert on
overflows, but the size is not the problem. A(ny) maximum is the
problem.
if not, why would you check for length of php input data?
Memory allocation, everything that is posted is mapped to $_POST (or
$_FILES) so it consumes memory, you probably want to limit memory usage
per script execution, limiting post will make sure you have some amount
of memory guaranteed to be available to your script (max. mem- max post).
i am trying to review my code for security issues. i found some good
articles. i learned to htmlentities($mydata) before displaying it

You do escape the quotes here, don't you?

--

Daniel Tryba

Daniel Tryba <ne****************@canopus.nl> wrote in news:ci8u50$aqf$2
@news.tue.nl:

j-marvin <cu******@service.boy> wrote:

i went through the process of how a buffer overflow would work in my
mind. i noticed you can limit the size of post data and its limit
value is displayed on the phpinfo page 8mb. so my question is will
the post ever be so big that it causes the abyss webserver to have a
buffer overflow?
No program is free from errors, so there is a chance there are
exploitable bufferoverflows in the php/abyss combo. I'm no expert on
overflows, but the size is not the problem. A(ny) maximum is the
problem.

if not, why would you check for length of php input data?

Memory allocation, everything that is posted is mapped to $_POST (or
$_FILES) so it consumes memory, you probably want to limit memory

usage per script execution, limiting post will make sure you have some amount of memory guaranteed to be available to your script (max. mem- max post).

i am trying to review my code for security issues. i found some good
articles. i learned to htmlentities($mydata) before displaying it

You do escape the quotes here, don't you?

hi daniel-

so post memory must be like a session variable in that it persists until
the browser closes. that is why i should limit it per script execution
i guess.
when i say this i mean variable post_max_size. each script execution
adds more memory allocated to post.

on the escaping quotes you mean i should escape double quotes...right?
$new = htmlspecialchars("<a href="test">Test</a>", ENT_QUOTES);
# this will produce a syntax error
# Parse error: parse error, unexpected T_STRING in C:\Program FilesAbyss
# Web Server\myfiles\phpinfo.php on line 5
i had only tested it with single quotes (of course).
thanks,
jim

j-marvin <cu******@service.boy> wrote:

so post memory must be like a session variable in that it persists until
the browser closes.
No, it's per http request.
that is why i should limit it per script execution i guess. when i
say this i mean variable post_max_size. each script execution adds
more memory allocated to post.
Let's say, every single request for a php script has a memory limit of
4Mb and a max post size of 3Mb. You not can only allocate another 1Mb in
your script. You might want to make sure you can allocate x Mb but no
more than y Mb... memorylimit would thus be y Mb and maxpost y-x Mb. The
total number of parallel request would only be limited by total memory/y
(neglecting overhead of the httpserver and other processes :).
on the escaping quotes you mean i should escape double quotes...right?
$new = htmlspecialchars("<a href="test">Test</a>", ENT_QUOTES);
# this will produce a syntax error
# Parse error: parse error, unexpected T_STRING in C:\Program FilesAbyss
# Web Server\myfiles\phpinfo.php on line 5
i had only tested it with single quotes (of course).

ENT_QUOTES is what I was hoping for... The syntax error is because:
"foo"bar"foo"
is just plain wrong:
"foo\"bar\"foo"
or
'foo"bar"foo'
or see the manual for heredoc notation.

--

Daniel Tryba

Daniel Tryba <ne****************@canopus.nl> wrote in
news:ci**********@news.tue.nl:

j-marvin <cu******@service.boy> wrote:

so post memory must be like a session variable in that it persists
until the browser closes.

No, it's per http request.

that is why i should limit it per script execution i guess. when i
say this i mean variable post_max_size. each script execution adds
more memory allocated to post.

Let's say, every single request for a php script has a memory limit of
4Mb and a max post size of 3Mb. You not can only allocate another 1Mb
in your script. You might want to make sure you can allocate x Mb but
no more than y Mb... memorylimit would thus be y Mb and maxpost y-x
Mb. The total number of parallel request would only be limited by
total memory/y (neglecting overhead of the httpserver and other
processes :).

on the escaping quotes you mean i should escape double
quotes...right? $new = htmlspecialchars("<a href="test">Test</a>",
ENT_QUOTES); # this will produce a syntax error
# Parse error: parse error, unexpected T_STRING in C:\Program
FilesAbyss # Web Server\myfiles\phpinfo.php on line 5
i had only tested it with single quotes (of course).

ENT_QUOTES is what I was hoping for... The syntax error is because:
"foo"bar"foo"
is just plain wrong:
"foo\"bar\"foo"
or
'foo"bar"foo'
or see the manual for heredoc notation.

i played with the second parameter for htmlentities and i get the same
thing in the url every time. i understand if dont escape double quotes
with a \ i can
get a syntax error.

htmlentities($variable,ENT_QUOTES)
htmlentities($variable,ENT_COMPAT)
htmlentities($variable,ENT_NOQUOTES)

are all the same to me at the moment.
i just dont see how they make a difference.
if someone could post the simplest code they new to explain it that
would be cool. if i had to try and explain it i'd say that
in the url the special characters are all turning to a code like
"confused" looks like http://127.0.0.1:8125/tired.php?tired=%27confused%
27&submit=

and this happens no matter what i use for the second parameter.

thanks daniel.

i need to get some sleep.
i stayed up too late. work ought to be interesting on this little
sleep.

later,
jim

never mind.

i will search google for htmlentities or related functions and
see what people are using for code. i looked at the manual
and so far it hasnt helped yet.

i have lots of time to complete this project anyways.

thanks for helping,
jim