tags:

views:

25

answers:

2
Q: 

Php: is it safe to open a file with the fileName given through the url [if] filtered like this ?

The url would be something like this:

www.example.com/index.php?file=myFile.ext

The filtering would only allow leters and numbers in the file, and only one dot.

The filtering would not give characters from the input to the file functions, instead, on for every allowed character it matches in an internal array, it copies the character from the internal array, and not the character from the input.

Ex:

if( isset(MyArray[inputChar]))
    $fileName .= MyArray[inputChar]

This is especially to protect against weird encoding bugs, php bugs etc

The full example bellow (I used array_search() instead of isset()):

//split it to array of chars
 $imputCharacters = str_split($_GET["file"]);

 //splits it to array like this: [0] => 'a', [1] => 'b', etc 
 $allowedCharacters = str_split('1234567890abcdefghijklmnopqrstuvwxyz.ABCDEFGHIJKLMNOPQRSTUVWXYZ');

 $file = '';
 $dots = 0;

  foreach ($imputCharacters as $char) 
 {
   $indexKey = array_search($char, $allowedCharacters, true);
   if($indexKey === false) 
  {
   die(__FILE__ . __LINE__); // disalowed character
  }
  else 
  {
   if ($allowedCharacters[$indexKey] === '.') { 
    $dots++;
    if($dots > 1) {
     die(__FILE__ . __LINE__); //only one dot allowed
    }
   }
   $file .= $allowedCharacters[$indexKey];
  }   
  }
A: 

you should also check that the file exists and is the correct path

Crayon Violent  2010-08-14 18:28:13
+1  A: 

Some other things you might want to watch out for:
Opening hidden files. You might not want to open your .svn or .hg files (Source control files).
URLs are case insensitive but they're case sensitive on the file system, so somehow accomodate for that?
Certain file names might having special meaning to the operating system? Such as the user providing a string that can be automatically decoded into something else on the filesystem?
Are you looking our for character encoding bugs? The user might supply the text in a specific encoding, which could be interpreted differently by the operating systems character encoding scheme.
Does the file exist?
Does it have some weird flag on it (Read-Only, Write-Only)?
Is the file readable by the web server's user account? I've run into issues with UNIX based systems where files are not readable by the www_root account that apache runs as.
I don't know how many of these are likely, just some things I've run across trying to solve similar problems.

chustar  2010-08-14 18:40:41
E.g., if on Windows, you must not allow device filenames NUL, COM1, etc.
Heath Hunnicutt  2010-08-14 19:34:29

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases