PHP - Path Manipulation / Input Validation

Question

I ran a Gray Box Assessment test for an application i developed and i have some vulnerabilities, specific a Path Manipulation in the Input Validation Category.

I have in my code:

if (move_uploaded_file($_FILES["file"]["tmp_name"],"contacts_load/" . $fileName)) {
    if ($import = fopen ("contacts_load/" . $fileName,"r")) {

and:

unlink("contacts_load/" . $fileName);

The problem is in contacts_load/.

Below you are going to find some information about this:

Description: Allowing user input to control paths used in filesystem operations could enable an attacker to access or modify otherwise protected system resources.

Specific Scenario:

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.

2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

How can i prevent the path manipulation for this specific scenario?

Answer 1

.htaccess file?

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
  Order allow,deny
</FilesMatch>

# Don't show directory listings for URLs which map to a directory.
Options -Indexes

Answer 2

There is no problem with contacts_load/. The user cannot modify it.

I do recommend you sanitize $_FILES["file"]["name"] though. This answer should be helpful.