Preventing Directory Traversal in PHP but allowing paths

by

Well, one option would be to compare the real paths:

$basepath="/foo/bar/baz/";
$realBase = realpath($basepath);

$userpath = $basepath . $_GET['path'];
$realUserPath = realpath($userpath);

if ($realUserPath === false || strpos($realUserPath, $realBase) !== 0) {
    //Directory Traversal!
} else {
    //Good path!
}

Basically, realpath() will resolve the provided path to an actual hard physical path (resolving symlinks, .., ., /, //, etc)… So if the real user path does not start with the real base path, it is trying to do a traversal. Note that the output of realpath will not have any “virtual directories” such as . or ..

More Related Contents:

  1. How Secure Is This Login System? (Using Cookies In PHP)
  2. How can I sanitize user input with PHP?
  3. What are the best practices for avoiding xss attacks in a PHP site [closed]
  4. When should I use prepared statements?
  5. “Keep Me Logged In” – the best approach
  6. Full Secure Image Upload Script
  7. What does it mean to escape a string?
  8. PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?
  9. PHP MySQLI Prevent SQL Injection [duplicate]
  10. How to fake $_SERVER[‘REMOTE_ADDR’] variable?
  11. Best way to defend against mysql injection and cross site scripting
  12. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  13. Login without HTTPS, how to secure?
  14. Is it safe to trust $_SERVER[‘REMOTE_ADDR’]?
  15. how safe are PDO prepared statements
  16. How to get rid of eval-base64_decode like PHP virus files?
  17. How to sanitze user input in PHP before mailing?
  18. How can I relax PHP’s open_basedir restriction?
  19. How to run PHP exec() as root?
  20. Hiding true database object ID in url’s
  21. CodeIgniter – why use xss_clean
  22. How to enable DDoS protection?
  23. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  24. Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]
  25. Codeigniter CSRF – how does it work
  26. How to protect my source code when deployed?
  27. Best way to connect to MySQL with PHP securely [duplicate]
  28. Safe alternatives to PHP Globals (Good Coding Practices)
  29. When to use filter_input()
  30. Single Session Login in Laravel

Leave a Comment