I'm trying to find a secure way to do the following:
- Users enters value into html form.
- Form is submitted.
- PHP uses submitted value as the argument for the "scandir" function.
My theory is include logic in the php script that forbids absolute paths and requires the directory name to include a certain value.
My concern is that a hacker could use my form to submit his own value and access sensitive files.
This is for a JQuery plugin. I don't want users to have to modify the PHP file.
How could the below code be hacked?
<?php
$foo = $_POST["some_directory"];
//validate $foo
//make sure path to directory is relative
$foo_url_test = parse_url($foo);
if (isset($foo_url_test['scheme']) || isset($foo_url_test['host'])) {
$foo = NULL;
}
//make sure the directory name contains 'bar123'
$foo_name_test = preg_split('_[\\\\/]_', $foo);
$foo_name_test = end($foo_name_test);
$foo_name_test = strpos($foo_name_test,'bar123');
if ($foo_name_test === false) {
$foo = NULL;
}
//make sure the path does not contain '..'
$foo_dot_dot_test = strpos($foo,'..');
if ($foo_dot_dot_test == TRUE || $foo_dot_dot_test === 0) {
$foo = NULL;
}
//get files
$files_array = scandir($foo);
?>