Jochem Maas wrote:
fine. so exactly what is the 100% bullitproof validation that will catch every attack attempt? other than basename()ing the input and suffixing it to the relevant path and then checking that to see if the file exists??
It depends how you want to handle invalid data. If you're happy basenaming it to remove anything malicious, and then trying to see if the file still exists, then so be it. To me that is masking something bad to try and make it good, the end result being that you can't tell if someone is trying to screw with your script, or if you've simply got a typo in a link on your site somewhere.
do you really care if the original url is: foo.php?file=bla.pdf and somebody does this (ending up with the file the original url pointed): foo.php?file=../../../bla.pdf
Absolutely I care. One is an obvious attempt to circumvent my script, the other could be an error *I* made somewhere.
Of course a better solution would be to never pass the filename on the query string anyway. Use a local look-up instead based on a key (a hard coded array, pulled from SQL, etc, whatever you want). But that is beyond the scope of what the guy was asking I guess. I honestly believe that having URLs such as getfile.php?file=something.pdf is like waving your wallet infront of a pickpocket, i.e. asking for trouble.
Cheers, Rich -- Zend Certified Engineer http://www.corephp.co.uk "Never trust a computer you can't throw out of a window" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
