Posted by Rik on 01/12/07 19:10

Toby Inkster wrote:
> Rik wrote:
>
>> It never even occured to me to include files I did not write myself
>> :P Validating a file is very difficult, you'll have to check it by
>> hand.
>
> Don't validate the file itself -- validate the filename! For example,
> check that the filename doesn't include any slashes, backslashes or
> colons and you should be sorted.
>
> $file=$_GET['fileName'];
> if (preg_match('/[\/\\\:]/', $file))
> die("Dirty, rotten scoundrel!");
> echo "Requested File is: ".$file;
> include($file);

DOH! Offcourse that was what was meant... Haven't used constructions like
this in a while.

I'd whitelist the filename, but this would work also offcourse.
--
Rik Wasmus

• Next in forum: Re: i can not get addslashes/stripslashes to have the same effect on different servers
• Prev in forum: Re: retaining value in listbox array
• Thread view: Re: Include with variables - why does this work ?

[Reply to this message]