PHP - Sanitizing input for file_exits() and include()

Question

For reasons beyond my control, I need to accept user/visitor requests to check for and include files from the server. The files that will be requested and included have to be in the directory or one of the subdirectories of the script that loads them, so nothing higher up in the file tree. Also, nothing from the folder named /resources/ should be accessible.

Is it enough to check for '../' and 'resources/' in the request string to make including these files safe? If not, what else should I be looking for?

Similar question: [Preventing Directory Traversal in PHP but allowing paths](http://stackoverflow.com/q/4205141/53114) — Gumbo, Mar 15 '14 at 08:52

deceze · Accepted Answer · 2014-03-15T09:06:15.827

1

$path    = realpath($file);  // resolves all ../
$allowed = '/foo/bar/baz/';

if (strpos($path, $allowed) !== 0) {
    die('not allowed');
}

if (strpos($path, '/foo/bar/baz/resources/') === 0) {
    die('not allowed');
}

edited Mar 15 '14 at 09:06

answered Mar 15 '14 at 08:47

deceze

510,633
85
743
889

realpath() - brilliant! – TimSim Mar 15 '14 at 08:49
1

This means `/foo/bar/baz_quux` is just as allowed as `/foo/bar/baz/resources_quux` is disallowed. – Gumbo Mar 15 '14 at 08:53
1

So, add a forward slash after baz and resources? – TimSim Mar 15 '14 at 08:56

PHP - Sanitizing input for file_exits() and include()

1 Answers1