ansaurus

Question

Answer 1

+3 A:

Use basename rather than trying to anticipate all the insecure paths a user could provide.

philfreo 2009-12-16 00:06:24

this may work in some situations, however I'm expecting input to include directories as well, ex: '/js/jquery/jquery.js'

SeanDowney 2009-12-16 00:28:18

Answer 2

+5 A:

realpath() will let you convert any path that may contain relative information into an absolute path...you can then ensure that path is under a certain subdirectory that you want to allow downloads from.

Bert Lamb 2009-12-16 00:11:21

This was my final solution:$baseDir = "/home/gsmcms/public_html/central/app/webroot/";$path = realpath($baseDir . $_GET['file']);// if baseDir isn't at the front 0==strpos, most likely hacking attemptif(strpos($path, $baseDir)) { die('Invalid Path');} elseif(file_exists($path)) { echo file_get_contents($path);} else { header('HTTP/1.1 404 Not Found'); echo "The requested file could not be found";}

SeanDowney 2009-12-16 00:36:25

Answer 3

+3 A:

If you can, use a whitelist like an array of allowed files and check the input against that: if the file asked by the user isn't present in that list, deny the request.

kemp 2009-12-16 00:14:25

This would be the best idea, but probably more work than I want to do :)

SeanDowney 2009-12-16 00:35:38

Unless you want to leak the source of all your files under your webroot, you probably do want to do this.

Cheekysoft 2009-12-16 13:30:07

Answer 4

+1 A:

There is an additional and significant security risk here. This script will inject the source of a file into the output stream without any server-side processing. This means that all your source code of any accessible files will be leaked to the internet.

Cheekysoft 2009-12-16 13:31:08

good point, I'll add a whitelist of allowed extensions such as: js, css, jpg, gif...

SeanDowney 2009-12-21 19:47:58

ansaurus

tags:

views:

answers:

Sanitize file path in PHP

related questions