Re: Problems downloading a PDF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jochem Maas wrote:

fine. so exactly what is the 100% bullitproof validation that will catch
every attack attempt? other than basename()ing the input and suffixing it
to the relevant path and then checking that to see if the file exists??

It depends how you want to handle invalid data. If you're happy basenaming it to remove anything malicious, and then trying to see if the file still exists, then so be it. To me that is masking something bad to try and make it good, the end result being that you can't tell if someone is trying to screw with your script, or if you've simply got a typo in a link on your site somewhere.

do you really care if the original url is:

	foo.php?file=bla.pdf

and somebody does this (ending up with the file the original url pointed):

	foo.php?file=../../../bla.pdf

Absolutely I care. One is an obvious attempt to circumvent my script, the other could be an error *I* made somewhere.

Of course a better solution would be to never pass the filename on the query string anyway. Use a local look-up instead based on a key (a hard coded array, pulled from SQL, etc, whatever you want). But that is beyond the scope of what the guy was asking I guess. I honestly believe that having URLs such as getfile.php?file=something.pdf is like waving your wallet infront of a pickpocket, i.e. asking for trouble.

Cheers,

Rich
--
Zend Certified Engineer
http://www.corephp.co.uk

"Never trust a computer you can't throw out of a window"

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux