|
Posted by Philip Hallstrom on 10/02/05 03:51
> I'm working on a script which basically loads an image, the user
> requested and wonder how to properly sanitize the passed path. For
> instance the user should never ever be able to do somtehing
> like ?load=../../../etc/passwd.
>
> My approach so far is to simply urldecode() the given string and return
> an error if ".." is found in it. Maybe I'm a little paranoid but is this
> really enough?
>
> For clarification: All paths are prefixed with some kind of a root path.
> All images within this root path may be accessed but "jumping" out of it
> should not be allowed.
realpath() is your friend... prepend your root path to the passed in
string, then run that through realpath, then verify that your root path is
still prepended...
http://us2.php.net/realpath
realpath() expands all symbolic links and resolves references to '/./',
'/../' and extra '/' characters in the input path and return the
canonicalized absolute pathname. The resulting path will have no symbolic
link, '/./' or '/../' components.
realpath() returns FALSE on failure, e.g. if the file does not exist. On
BSD systems realpath() doesn't fail if only the last path component
doesn't exist, while other systems will return FALSE.
[Back to original message]
|