first of all: I'm new here, hello to all
I'm using mod rewrite to map requests to specific folders (not files) to a theme selector.
Mod Rewrite Examples:
http://www.domain.com/css/example.css goes to http://www.domain.com/themeselector.php ... xample.css
http://www.domain.com/img/example.jpg goes to http://www.domain.com/themeselector.php ... xample.jpg
http://www.domain.com/js/example.js goes to http://www.domain.com/themeselector.php?f=js/example.js
This theme selector then tries to deliver the file from a specific theme folder outside the www of the vhost (for example /var/www/systemname/display/theme1/css) or returns a 404 if the file is not found.
Code: Select all
...
// $_GET['f'] needs to be validated here!
if (!file_exists(SYSTEM_THEMEROOT."/".$_GET['f'])) {
header("HTTP/1.0 404 Not Found");
} else {
require_once(SYSTEM_THEMEROOT."/".$_GET['f']);
}
However - I have identified the security issue that a caller can modify the path to download files outside the theme folder. This is what I'm seeking to prevent.
I was thinking about several possible solutions, none of which seems feasible:
- 1) I can't filter out any ocurrence of a relevent path (../), as for example TinyMCE is part of the themes and uses them
2) open_basedir can't be set via ini_set (at least it's not working on my test server), I also can't put it into the .htaccess file as there are other directives which do need more open_basedir privileges. Also, I don't think open_basedir actually prevents require() from working, just fopen()
3) i could write a php function that checks if the passed folder is a sub folder of the theme folder -> imho this would cause severe performance issues as the code is used in an high traffic application.
Is there a way to restrict access to the theme folder without jepardizing performance? Any ideas?
Thanks in advance,
Lynky