Micky Hulse wrote:
> Hi,
>
> I am looking for the most secure/efficient way to compare these two
> strings:
>
> /folder1/folder2/folder3/folder4/
> /folder1/folder2/folder3/folder4/file.php
>
> Basically I am trying to setup as many security features as possible for
> a simplistic (home-grown/hand-coded) CMS...
>
> This appears to work:
>
> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> $needle = '/folder1/folder2/folder3/folder4/';
> if(substr_count($haystack, $needle) === 1) echo "yea";
>
> Before making changes to "someFileName.php" I want to make sure it is
> within the allowed path ($needle).
>
> I would appreciate any advice. Even RTFM is cool. :D
>
Using your technique I would try an attack like:
'/etc/passwd;/folder1/folder2/folder3/folder4/' or
'/folder1/folder2/folder3/folder4/../../../../etc/passwd'
or some other variant depending on how you then use the file.
I'm a big fan of lists of allowed files, typically I use aliases too.
$allow_files = array('page' => '/folder/.../filename.php').
This list can be automatically generated and used by mod_rewrite to
boost speed.
By using a fixed list of files like this it's impossible to be attacked
on your filename.
Assuming you don't want to go that strong and want to allow your users
to set the filename you have to try and lock down the path. By not
allowing them to change the path you can hold them in the directory you set.
Check for any / characters and reject or strip them out.
Use '/folder1/folder2/.../'.$file.
It's vital if you do this that you don't allow any way to upload files
in to the directory you execute from.
If you want to allow them to set the path or part of the path then the
check gets far more complicated. You have to catch .. and // patterns,
ensuring that you don't combine to form a // and catch cases like
'.\./'. If you need to have multiple directories I would strongly
suggest using dynamically generated fixed lists.
David
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
