But, anyway, is this secure?
Code: Select all
/**
* Validates a page name, making sure that is allowed and in proper format;
* halts page execution if invalid
* @param $page string page name to validate
* @param $allowed_dirs lookup array of allowed directories, see config.default.php
* @param $filename_chars PCRE style string of characters, see config.default.php
*/
function validate_page($page, $allowed_dirs, $filename_chars) {
// validate the path, perhaps syntax could be more permissive
$regex = "#(((?:[$filename_chars]+/)*)[$filename_chars]+).html#";
$status = preg_match($regex, $page, $matches);
if (!$status) display_error_and_quit(403);
// validate directory
if (!isset($allowed_dirs[$matches[2]])) {
// maybe one of its parent directories had a recursive declaration
$dir = $matches[2];
$dirs = explode('/', $dir);
$test_dir = '';
$ok = false;
foreach ($dirs as $name) {
if ($name === '') break;
if (
isset($allowed_dirs[$test_dir]) &&
$allowed_dirs[$test_dir] === 1
) {
$ok = true;
break;
} else {
$test_dir .= $name . '/';
}
}
if (!$ok) display_error_and_quit(403);
}
}Code: Select all
validate_page($_GET['f'], array('' => 0, 'data/' => 1), 'a-zA-Z0-9\-_');