Richard Davey wrote: > Jochem Maas wrote: > >>> You don't need to basename() it, you already know what the filename is, >>> because it was requested via $_GET['file']. >> >> I would say almost the opposite: > > Let me rephrase: if you are properly validating the $_GET['file'] input > anyway, basenaming it is a superfluous step that may hide possible > attack attempts. Personally, I'd rather know if someone was messing > around with a parameter. fine. so exactly what is the 100% bullitproof validation that will catch every attack attempt? other than basename()ing the input and suffixing it to the relevant path and then checking that to see if the file exists?? (I'm assuming here that the directory in question contains only files that are available for download) given that the app will only generate urls for files that exist on the relevant path any file that is not found constitutes an attack of some sort. do you really care if the original url is: foo.php?file=bla.pdf and somebody does this (ending up with the file the original url pointed): foo.php?file=../../../bla.pdf ? > > Cheers, > > Rich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
