user47322
Reputation:
Ensure a user-defined path is safe in PHP
I am implementing a simple directory listing script in PHP.
I want to ensure that the passed path is safe before opening directory handles and echoing the results willy-nilly.
$f = $_GET["f"];
if(! $f) {
$f = "/";
}
// make sure $f is safe
$farr = explode("/",$f);
$unsafe = false;
foreach($farr as $farre) {
// protect against directory traversal
if(strpos($farre,"..") != false) {
$unsafe = true;
break;
}
if(end($farr) != $farre) {
// make sure no dots are present (except after the last slash in the file path)
if(strpos($farre,".") != false) {
$unsafe = true;
break;
}
}
}
Is this enough to make sure a path sent by the user is safe, or are there other things I should do to protected against attack?
Upvotes: 7
Views: 2188
Answers (1)
Tomalak
Reputation: 338128
It may be that realpath() is helpful to you.
realpath()expands all symbolic links and resolves references to'/./','/../'and extra'/'characters in the input path, and returns the canonicalized absolute pathname.
However, this function assumes that the path in question actually exists. It will not perform canonization for a non-existing path. In this case FALSE is returned.
Upvotes: 8
Related Questions
- Preventing Directory Traversal in PHP but allowing paths
- Sanitize file path in PHP
- PHP: Recommended way to escape slashes in path (e.g. to prevent directory traversal attack)
- path injection in user input
- How do I make sure a file path is within a given subdirectory?
- PHP - Path Manipulation / Input Validation
- How to check an exectuable's path is correct in PHP?
- How to build a file path correctly by using php?
- php directory traversal issue
- Securing paths in PHP