1

There is a php file in my server that is called when authenticated clients want to upload a file to their own server folder. Please note that it is a dev site, so there is no need to focus on possible issues like clients spamming the server etc. I get the file path from $_POST['filePath'], and the authenticated username $_SERVER['REMOTE_USER']. Together they form the path where the file is created, like this:

users/$username/$filepath

Now the file path is the concern (as everything coming from the client usually is :) )

Is it possible for the client to post backspaces in the file path string, and leave a way to modify the servers files?

Here are a few examples:

  • test.txt becomes users/user/test.txt (normal behavior)
  • foo/bar.log becomes users/user/foo/bar.log (still normal behavior)
  • #8#8#8#8#8otheruser/important.txt becomes user/otheruser/important.txt (#8 stands for a backspace, and this behavior is not wanted)
  • #8#8#8...http://this.domain.com/server.cfg becomes http://this.domain.com/server.cfg (Definitely not wanted behavior)

Just to clarify my question, I want to know if this is possible, not a way to prevent it with, say, regexp.

Jonas Schäfer
  • 20,140
  • 5
  • 55
  • 69
ilmikko
  • 29
  • 1
  • Instead of backspaces, I would worry about ``..``, but +1 for thinking about these issues. – Jonas Schäfer Mar 01 '14 at 10:27
  • You need to sanitise the file path / file name the client is using. Using `basename($_POST['filePath'])` is a good start. – Tigger Mar 01 '14 at 10:34
  • Using basename() removes the option for the client to create subfolders, as basename("dir/foo.txt") equals basename("foo.txt"). So are you saying it is possible to do that? – ilmikko Mar 01 '14 at 10:51
  • Have a look at [Preventing Directory Traversal in PHP but allowing paths](http://stackoverflow.com/a/4205278/53114). – Gumbo Mar 01 '14 at 11:01

0 Answers0