Filtering leading dots in filename with file uploads

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
olivierd
Forum Newbie
Posts: 3
Joined: Fri Mar 19, 2004 2:51 pm

Filtering leading dots in filename with file uploads

Post by olivierd »

Hi,

I made a file upload utility. I am adding a filter to the uploaded filename to prevent bad people to move up the folder tree up to the root of the server.

Ex: Filename sent could be "..\..\..\index.htm". I think that may reach the root file.

So I use

Code: Select all

if(preg_match("/.txt$|.exe$|.com$|.bat$|.zip$|.doc$|\bindex\b/i", $_FILESї'userfile']ї'name'])){
  exit("can't upload");
}
That works...

But i can't seem to get the expression to filter any leading dots. I tried:

Code: Select all

if(preg_match("/\..|\./i", $_FILESї'userfile']ї'name'])){
  exit("can't upload");
}
Any help please?[/url]
TheBentinel.com
Forum Contributor
Posts: 282
Joined: Wed Mar 10, 2004 1:52 pm
Location: Columbus, Ohio

Re: Filtering leading dots in filename with file uploads

Post by TheBentinel.com »

olivierd wrote:Ex: Filename sent could be "..\..\..\index.htm". I think that may reach the root file.
Regexp's seem awfully fragile for something like this.
For your purposes, would substr() do the trick?
http://us4.php.net/manual/en/function.substr.php

Code: Select all

if (substr($_FILES['userfile']['name'], 0, 1) == ".") {
Will you need to test for "/", too? Otherwise somebody might upload "/etc/passwd" or something on that order.
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Couldn't you also just use basename to extract just the filename, no matter what proceeds it?
TheBentinel.com
Forum Contributor
Posts: 282
Joined: Wed Mar 10, 2004 1:52 pm
Location: Columbus, Ohio

Post by TheBentinel.com »

markl999 wrote:Couldn't you also just use basename to extract just the filename, no matter what proceeds it?
Oh yeah, that's what you want to do. Very clean.

Nice one, Mark.
olivierd
Forum Newbie
Posts: 3
Joined: Fri Mar 19, 2004 2:51 pm

seems to work

Post by olivierd »

thank you. seems to work. Can we assume this takes care of that security issue when using file upload to a server?

thanks for your input
TheBentinel.com
Forum Contributor
Posts: 282
Joined: Wed Mar 10, 2004 1:52 pm
Location: Columbus, Ohio

Re: seems to work

Post by TheBentinel.com »

olivierd wrote:thank you. seems to work. Can we assume this takes care of that security issue when using file upload to a server?

thanks for your input
That will control where the files go, sort of, but it doesn't control their types. You should decide what you're going to allow and only allow those file types to be uploaded. Don't do it the other way, disallowing things you don't want. Otherwise some sneaky hacker will float some obscure extension past you.
olivierd
Forum Newbie
Posts: 3
Joined: Fri Mar 19, 2004 2:51 pm

yes

Post by olivierd »

thanks dave, i have a filter for the accepted filetypes now. so combining these 2 methods seems fairly secure, well for what i am doing. If you are aware of any major security issues with uploading files, or our common coding mistakes for that, please share, i am looking into this more and more as i am building an upload tool. (very basic tool).
Post Reply