Check for Path traversal in PHP and allow unharmed non existing path to be used

Asked Sep 07 '18 at 15:54

Active Sep 07 '18 at 15:54

Viewed 218 times

Following the answer https://stackoverflow.com/a/4205278/10329981

$basepath = '/foo/bar/baz/';
$realBase = realpath($basepath);

$userpath = $basepath . $_GET['path'];
$realUserPath = realpath($userpath);

if ($realUserPath === false || strpos($realUserPath, $realBase) !== 0) {
//Directory Traversal!
} else {
//Good path!
}

How can you make sure a non existing path is not a path traversal. Say a function creates a new path for a file that is uploaded by the user, this directory doesnt exist in the system yet, how can I make sure that this file does not contain any path traversal. I cant use realPath() as it will return false since directory doesnt exist.

asked Sep 07 '18 at 15:54

LukeDS

have you tried is_dir($basepath) – unixmiah Sep 07 '18 at 15:58
If you will always be building the directory in a set location, and want to avoid any up-traverse, just check if any dots exist in the user supplied name/path. ? – IncredibleHat Sep 07 '18 at 15:59

Check for Path traversal in PHP and allow unharmed non existing path to be used

0 Answers0