|
|
Posted by Rik on 01/12/07 19:10
Toby Inkster wrote:
> Rik wrote:
>
>> It never even occured to me to include files I did not write myself
>> :P Validating a file is very difficult, you'll have to check it by
>> hand.
>
> Don't validate the file itself -- validate the filename! For example,
> check that the filename doesn't include any slashes, backslashes or
> colons and you should be sorted.
>
> $file=$_GET['fileName'];
> if (preg_match('/[\/\\\:]/', $file))
> die("Dirty, rotten scoundrel!");
> echo "Requested File is: ".$file;
> include($file);
DOH! Offcourse that was what was meant... Haven't used constructions like
this in a while.
I'd whitelist the filename, but this would work also offcourse.
--
Rik Wasmus
[Back to original message]
|