Jochem Maas wrote:
fine. so exactly what is the 100% bullitproof validation that will catch
every attack attempt? other than basename()ing the input and suffixing it
to the relevant path and then checking that to see if the file exists??
It depends how you want to handle invalid data. If you're happy
basenaming it to remove anything malicious, and then trying to see if
the file still exists, then so be it. To me that is masking something
bad to try and make it good, the end result being that you can't tell if
someone is trying to screw with your script, or if you've simply got a
typo in a link on your site somewhere.
do you really care if the original url is:
foo.php?file=bla.pdf
and somebody does this (ending up with the file the original url pointed):
foo.php?file=../../../bla.pdf
Absolutely I care. One is an obvious attempt to circumvent my script,
the other could be an error *I* made somewhere.
Of course a better solution would be to never pass the filename on the
query string anyway. Use a local look-up instead based on a key (a hard
coded array, pulled from SQL, etc, whatever you want). But that is
beyond the scope of what the guy was asking I guess. I honestly believe
that having URLs such as getfile.php?file=something.pdf is like waving
your wallet infront of a pickpocket, i.e. asking for trouble.
Cheers,
Rich
--
Zend Certified Engineer
http://www.corephp.co.uk
"Never trust a computer you can't throw out of a window"
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
