Page 1 of 1
checking if file exists on my server
Posted: Mon Jun 13, 2005 4:40 am
by shiznatix
i am using a iframe to display the content in a website. i get the page that should be loaded into the iframe through get. but i know this can be easily messed with by doing index.php?u=
http://www.badpage.com. i was wondering if there was a way to check if that file existed in my server or not. or maybe there is a safer kind of way to go about doing that that i don't really know of?
Posted: Mon Jun 13, 2005 6:20 am
by Syranide
I really don't see what you are getting at... if you want to point to a file to your site... just use "
http://mysite.com/script.php"?
Or the alternative "
http://mysite.com/index.php?page=script.php", however for the last one is not suggested unless you do some testing, such as there is no ".." in the name, etc, but genereally, it is just prepend a "./" to the incoming file, and now it must exists in your server (a good way is otherwise to use realpath (or something like that) which gives you the exact place of the file within your system, giving you the ability to select whether it is allowed or not (depending on where it should be)).
Posted: Mon Jun 13, 2005 6:34 am
by shiznatix
thanks i did this
Code: Select all
<?
if ($_GET['op'])
{
if (file_exists('./'.$_GET['op']))
{
require('./'.$_GET['op'].'.php');
}
else
{
require('welcome.php');
}
}
else
{
require('welcome.php');
}
?>
Posted: Mon Jun 13, 2005 6:42 am
by Syranide
however, do note that they could "easily" view e.g. your passwords-files using that. by specifying "../../../etc/passwords" and such.
I still recommend checking for ".." or best of all, realpath.
Posted: Mon Jun 13, 2005 6:51 am
by Chris Corbyn
No no no
no
no
no!!
That is very very bad
A beter way is to have
http://www.yoursite.com?page=something (don't even use a filename).
then:
Code: Select all
<?php
switch($_GET['page']) {
case 'whatever': include('somefile.php');
break;
case 'something_else': include('anotherfile.php');
break;
default: include('a_default_page.php'); //Key point is this bit
break;
}
?>
Now if the page they type in the URL isn't in that switch they just get some default page. They can't get any other files this way

Posted: Mon Jun 13, 2005 6:54 am
by Syranide
In response to d11wgs message:
I assumed that wouldn't be an option as then he wouldn't really need to pass it as a variable? That could be by having a dynamic folder which is not accessible from the outside.
But of course, if you have static pages then do not ever let the user specify files.
Posted: Mon Jun 13, 2005 7:20 am
by shiznatix
gah but the switch case method would take me forever to code and im hungry. i have like 50 diffrent files that could be included and then i would have to go through everything and redo all the links. is there a better way?
i only have a few folders it could be in
none
edit
admin
admin/edit
maybe a regular expression to strip out everything beforehand or somthing?
Posted: Mon Jun 13, 2005 7:37 am
by Chris Corbyn
Yeah then in which case there's another way.
Put the allowed directories into an array and then check if the requested file is in one of those directroies (i.e. In the array).
Code: Select all
$allowed = array(
'none',
'edit',
'admin',
'admin/edit'
);
$page = $_GET['page'];
$path = preg_split('#/[^/]*$#', $page);
if (in_array($path[1], $allowed)) {
include($page);
} else {
//Bad request
}
Posted: Mon Jun 13, 2005 7:45 am
by Syranide
I believe it is possible to specify "\" in names, even on linux (in PHP).
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
Posted: Mon Jun 13, 2005 8:08 am
by Chris Corbyn
Syranide wrote:I believe it is possible to specify "" in names, even on linux (in PHP).
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
How could you still do what you want using a backslash? It doesn't fit the array and would therefore be rejected?

Posted: Mon Jun 13, 2005 8:10 am
by Syranide
you specified only "NOT /" (not a backslash) ... backslash would fit in that.
Posted: Mon Jun 13, 2005 8:22 am
by Chris Corbyn
Syranide wrote:you specified only "NOT /" (not a backslash) ... backslash would fit in that.
Yes but it still doesn't match the array. By the way this will NOT work...
http://mydomain.com/folder1/folder2\..\ ... older1.php
if that's what you're getting at?