Page 1 of 1
Filtering leading dots in filename with file uploads
Posted: Fri Mar 19, 2004 2:51 pm
by olivierd
Hi,
I made a file upload utility. I am adding a filter to the uploaded filename to prevent bad people to move up the folder tree up to the root of the server.
Ex: Filename sent could be "..\..\..\index.htm". I think that may reach the root file.
So I use
Code: Select all
if(preg_match("/.txt$|.exe$|.com$|.bat$|.zip$|.doc$|\bindex\b/i", $_FILESї'userfile']ї'name'])){
exit("can't upload");
}
That works...
But i can't seem to get the expression to filter any leading dots. I tried:
Code: Select all
if(preg_match("/\..|\./i", $_FILESї'userfile']ї'name'])){
exit("can't upload");
}
Any help please?[/url]
Re: Filtering leading dots in filename with file uploads
Posted: Fri Mar 19, 2004 3:03 pm
by TheBentinel.com
olivierd wrote:Ex: Filename sent could be "..\..\..\index.htm". I think that may reach the root file.
Regexp's seem awfully fragile for something like this.
For your purposes, would substr() do the trick?
http://us4.php.net/manual/en/function.substr.php
Code: Select all
if (substr($_FILES['userfile']['name'], 0, 1) == ".") {
Will you need to test for "/", too? Otherwise somebody might upload "/etc/passwd" or something on that order.
Posted: Fri Mar 19, 2004 3:07 pm
by markl999
Couldn't you also just use
basename to extract just the filename, no matter what proceeds it?
Posted: Fri Mar 19, 2004 3:17 pm
by TheBentinel.com
markl999 wrote:Couldn't you also just use
basename to extract just the filename, no matter what proceeds it?
Oh yeah, that's what you want to do. Very clean.
Nice one, Mark.
seems to work
Posted: Fri Mar 19, 2004 4:05 pm
by olivierd
thank you. seems to work. Can we assume this takes care of that security issue when using file upload to a server?
thanks for your input
Re: seems to work
Posted: Fri Mar 19, 2004 4:56 pm
by TheBentinel.com
olivierd wrote:thank you. seems to work. Can we assume this takes care of that security issue when using file upload to a server?
thanks for your input
That will control where the files go, sort of, but it doesn't control their types. You should decide what you're going to allow and only allow those file types to be uploaded. Don't do it the other way, disallowing things you don't want. Otherwise some sneaky hacker will float some obscure extension past you.
yes
Posted: Fri Mar 19, 2004 5:02 pm
by olivierd
thanks dave, i have a filter for the accepted filetypes now. so combining these 2 methods seems fairly secure, well for what i am doing. If you are aware of any major security issues with uploading files, or our common coding mistakes for that, please share, i am looking into this more and more as i am building an upload tool. (very basic tool).