PHP: Does this whitelist on file_get_contents() prevent injection attacks?

Question

If I have 2 sites:

• a storage site storing my images (myStorageSite.com/images/),

• a main site (mainSite.com).

I want the user to supply a filename ($file) to get any file in the images directory of myStorageSite.com. (the user knows the filenames).

Does this "whitelist" code let the user get any file from the images directory but prevent them from getting any other files on either myStorageSite or mainSite?

<?php

function dataURL($file, $mime){
  $white = 'http://myStorageSite.com/images/';
  $contents = file_get_contents($white . $file);
  $base64   = base64_encode($contents); 
  return ('data:' . $mime . ';base64,' . $base64);
}

?>

Suggestions are welcome!

Answer 1

Simply put: Not exactly.

It will prevent people from accessing your data on mainSite.com, but it will not restrict people to the images folder. Someone could do this:

$file = '../whatever_folder_on_mystorage_site';

All you are doing, is prepending the url to access with file_get_contents.

Since you are retrieving images, you can use actaully whitelist certain extensions. Only allow the user to access certain extensions like .jpg, .png, and the like...

Answer 2

This isn't whitelisting. Whitelisting is comparing $file to a "list" of allowed filenames. And to answer your question, no, what you're doing allows them to get any file available on the storage server, try passing "../" as $file for example.

Whitelisting, if properly implemented, would do what you want though.