3

My question is about PHP security for this particular operation:

I want to use javascript to pull all json files from a particular directory on my web server. I have done like so: I pull all the correct file names with this PHP script ("get-data.php"):

<?php
echo json_encode(glob('*.json'));
?>

Then I move that array into javascript with 

var oReq = new XMLHttpRequest();
oReq.onload = function() {
    fileNames = JSON.parse(this.responseText);
};
oReq.open("get", "get-data.php", true);
oReq.send();

Then I use the following to read the files into an array:

function getMapInfo(fileName){
    $.get(fileName, function(result) {
        var map = JSON.parse(result);
        mapData.push(map);
    });
 }

I got some of this code from here: How to pass variables and data from PHP to JavaScript? and I have read up on xss a little here and here and it is my understanding that "untrusted data" is data that the user would enter which would then be run in a script? I believe that my above solution doesn't contain unsafe data since it only pulls files that are already on my server, is that correct?

Overall, my question is: is this a safe way to allow my code to retrieve multiple unknown files from my server? Eventually, I want uses to "save" map data to the server which will then be read by the above script for others to see.

Thanks very much,

Jordan

Community
  • 1
  • 1
Jordan
  • 3,813
  • 4
  • 24
  • 33
  • 2
    Should be safe, you're only sending a list of filenames as JSON to the client, and as long as you don't let the user select filenames or folders so they can possibly download other files that may contain sensitive data, it's fine. – adeneo Jan 05 '15 at 05:10
  • Great! I'm nervous about web security because I'm a bit new to it, but I'm glad I got this much right :) – Jordan Jan 05 '15 at 05:12
  • 3
    Better to be nervous and conscious of web security than blind and negligent – charlietfl Jan 05 '15 at 05:12
  • 2
    Your security issues will be in the 'eventually' section - allowing users to save the data. Their files (and names) will be untrusted data and will be what you have to take lots of care over. – Matt Parker Jan 06 '15 at 13:55

1 Answers1

1

Yes, this is perfectly safe. You will just need to ensure the security is part of the php code when needed, by limiting or filtering what it can select (already fine there) and how .json files are validated and stored, once that is addressed you will be fine and your existing solution is perfectly safe. You can also modify .htaccess file to hide folder content if you have a concern about others viewing directories on your website.

tjl
  • 68
  • 1
  • 6