Portage PHP Browser

Message

Riklaunim · Post by **Riklaunim** » Tue Jan 04, 2005 7:50 pm

I've made a simple PHP script that browses portage - files which usualy can be found in /usr/portage/

- Download: HERE
It can:
- Brows through portage structure

- When you roll over a folder in a /portage/subdir/ a tooltip will show up with description and URL from the ebuild file

- All files in /portage/subdir/package/ can be displayed via highlight_string

Installation
- Unpack the script and send it to the server. The tooltip version (index.php) isn't PHP5 compatible. If you don't want the tooltip copy index_simple.php as index.php.
- Download a portage snapshot and extract it to the script folder, so you get:
./index.php
./portage/portage files
- Open index.php in the browser

Comments, suggestions?

Crisis · Post by **Crisis** » Tue Jan 04, 2005 9:06 pm

I assume this is meant to be ran locally, not accessible outside? Because there are a lot of security issues, but maybe it doesn't matter if it is ran locally.

But that begs the question, if you have local access, why do you need this?

I would be weary about putting this code as is on a publically available web server.

Riklaunim · Post by **Riklaunim** » Wed Jan 05, 2005 7:04 am

Portage files doesnt have any executable www etc. code... + application files are displayed via highlight_string... You can put it on a normal server and nothing will happen.

Crisis · Post by **Crisis** » Wed Jan 05, 2005 1:51 pm

What if someone passes in unexpected information to some of those variables?

You aren't even checking the input on some of those paths, what happens if they pass in something like portage/../../etc/passwd ?

Riklaunim · Post by **Riklaunim** » Wed Jan 05, 2005 4:47 pm

then waths this:

Code: Select all

// portage browser hardened
function kill($x)
	{
	$x = str_replace('../', '', $x);
	$x = str_replace('./', '', $x);
	return $x;
	}
$_GET = array_map("strip_tags", $_GET);
$_GET = array_map("kill", $_GET);
// checking finished