0

I want to allow a javascript app that I am running to delete files only in a given subdirectory. I have php which does the admittedly unsafe: unlink($_POST['delete']); In order to make it slightly safer I expanded it to:

$file = $_POST['delete'];
if (strpos($file, "..") == -1){
    unlink($file);
}

This still has a vulnerability if a file in the directory links outside of the directory. Furthermore, this approach in general feels very unsafe. I understand the point of unsafety and will leave it like that if I must, but I'd rather have a safer version. To expand on that, the app is on a personal server without any vital information.

As an example demonstrating the vulnerability:

foo
   bar -> /usr/
   baz.txt

and $_POST['delete'] == 'foo/bar/bin'
chacham15
  • 13,719
  • 26
  • 104
  • 207
  • How about you just return the file name from javascript, and if the file is in the deletion directory, then delete it. That way no files in other directories can be deleted. – Joshua Kissoon Feb 08 '14 at 05:22
  • @JoshuaKissoon I gave an example of the problem. As the title states, how can I tell that the given path is actually outside the directory? – chacham15 Feb 08 '14 at 05:25

0 Answers0