Re: basename secure for path injection?
Posted: Mon Sep 22, 2008 2:03 pm
Eh, there is a simple (and probably provably) secure way to do this. Use a hash table.
All PHP arrays are associative arrays anyway (i.e. a hash table) - which makes this solution even easier with PHP.
Just declare something like:
$valid_paths = array( 'expected/web/path/1' => '/home/www/real/path/1', 'expected/web/path/2' => '/home/www/real/path/2' );
(change and add elements as required obviously)
and when you come to check things:
if ( array_key_exists( $_GET[ 'path' ], $valid_paths ) ) {
$path = $valid_paths[ $_GET[ 'path' ] ];
} else {
$path = '/path/to/some/error/message/or/default/';
}
that way you don't have to worry about the security of basename(), nor have to design a decent regex which can be tricky at best.
If maintaining $valid_paths is difficult, you could store it in db table which would make it easier to modify from an admin interface or whatever.
Regards,
Peter
P.S. I haven't touched PHP in a while so my syntax may be a bit iffy, but you get the idea.
All PHP arrays are associative arrays anyway (i.e. a hash table) - which makes this solution even easier with PHP.
Just declare something like:
$valid_paths = array( 'expected/web/path/1' => '/home/www/real/path/1', 'expected/web/path/2' => '/home/www/real/path/2' );
(change and add elements as required obviously)
and when you come to check things:
if ( array_key_exists( $_GET[ 'path' ], $valid_paths ) ) {
$path = $valid_paths[ $_GET[ 'path' ] ];
} else {
$path = '/path/to/some/error/message/or/default/';
}
that way you don't have to worry about the security of basename(), nor have to design a decent regex which can be tricky at best.
If maintaining $valid_paths is difficult, you could store it in db table which would make it easier to modify from an admin interface or whatever.
Regards,
Peter
P.S. I haven't touched PHP in a while so my syntax may be a bit iffy, but you get the idea.