0

I have a front controller index.php through which all requests are directed. I'd like to load content from flat files based on the URI. For example a request to / will try to read ../content/index.md from the filesystem, and /whacky/waving from ../content/whacky/waving/index.md.

Do I need to sanitize the incoming $_SERVER['REQUEST_URI'] against attack? Is it possible for users to request http://domain.com/../../../../etc/groups, for example?

My first thought was to strip anything which is not 0-9a-z\-\/_ but for development I am running the built-in PHP server which requires me to catch static assets with dots in.

I was making progress with PHP's realpath() function as it resolves things like /../ - I checked that output to make sure it was within the web root for safety. Of course it doesn't work for non-existent files.

EDIT: I don't believe this is a duplicate of Sanitizing strings to make them URL and filename safe? because it doesn't discuss possible security implications of using a user-supplied URI on the file system. It focusses on character sets and generating slugs for new files (which can conform to any constraint the author wants) rather than sanitizing a URL to a valid filesystem path safely. I thought the difference was worth asking a new question.

Community
  • 1
  • 1
NoChecksum
  • 1,206
  • 1
  • 14
  • 31
  • 3
    Possible duplicate of [Sanitizing strings to make them URL and filename safe?](http://stackoverflow.com/questions/2668854/sanitizing-strings-to-make-them-url-and-filename-safe) – swidmann Nov 13 '15 at 10:03
  • Not exactly answering the question... if you have access to apache, you can make an alias, then apache will deal with the permissions. Then you'd need to allow requests to those files to be served direct (rather than via php), but it would seem like a simpler solution (ie how images and css are normally served). – Chris Lear Nov 13 '15 at 10:45

0 Answers0