On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote: > > > Matt Roper wrote: > > > With this solution, what keeps people from using something like > > "../../../etc/shadow" as $arg? You'd probably need to strip out slashes > > and ..'s to be safe... > > > > Matt > > > > Good thinking Matt and Jeff. How about > > $file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." ) > ? "" > : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]; > > This checks the first character for a dot by using the substring function > inside > the ternary operator. If someone tries to penetrate your system, file2open > will fail.
That's not enough. What about foo/../../../etc/shadow ? A real solution, in my mind, is to break up the path using / (or its HTML-encoded equivalent, %2f) as a divider, to get a list of directories to traverse. Then, traverse directories one by one down the list, and when you reach the filename, check to see if you're above $APPLICATION_HOME_DIRECTORY. Alternately, if you don't have files in multiple directories, just check the given filename for slashes. If any are found, give an error; else, feed them the file. Yet another way (I'm on a roll tonight) is to have a table in your function, mapping (say) 1 => "/home/me/cars/mustang.dat" 2 => "/home/me/cars/camaro.dat" ... etc. Then, just access /path/to/script.php?file=N to get a file displayed, and look up N in your table, and display the appropriate file or give an error. > > > > On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote: > > > An easy way around exposing /etc/anything is to do what Apache does with > > > HTML documents: only reference documents inside a relative directory. > > > > > > e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ] > > > -- Samuel Merritt PGP key is at http://wwwcsif.cs.ucdavis.edu/~merritt/snmerritt.asc Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/
msg02785/pgp00000.pgp
Description: PGP signature
