Is str_replace function will be enough to secure this code?












0















I want to allow users read files in their directory (and subdirectories) with GET param. I have to secure this part of code, so they cannot go to upper directories with two dots. Will it be enough?



$filePath = $userDir . '/' . str_replace( '..', '', $_GET['path'] );



if(!is_file($filePath)) {

    die();

}



readfile($filePath);





php security







share|improve this question


















  • 3





    This may be personal preference, but I wouldn't let them choose the path at all (directly anyway). My suggestion is store the filenames (and fake path if you like) in a database, with a link to the real file on your filesystem. If they put in a valid file, then readfile the real file... if that makes sense.

    – Jonnix
    Jan 3 at 10:25













  • Thank you for your reply. Yes, I agree with you, but unfortunately I'm not able to change database structure.

    – Stan
    Jan 3 at 10:33











  • I'd suggest replacing ../ and .., since .. by itself could be part of a valid filename like "abc..xyz.txt"

    – jhilgeman
    Jan 3 at 20:06
















0















I want to allow users read files in their directory (and subdirectories) with GET param. I have to secure this part of code, so they cannot go to upper directories with two dots. Will it be enough?



$filePath = $userDir . '/' . str_replace( '..', '', $_GET['path'] );



if(!is_file($filePath)) {

    die();

}



readfile($filePath);





php security







share|improve this question


















  • 3





    This may be personal preference, but I wouldn't let them choose the path at all (directly anyway). My suggestion is store the filenames (and fake path if you like) in a database, with a link to the real file on your filesystem. If they put in a valid file, then readfile the real file... if that makes sense.

    – Jonnix
    Jan 3 at 10:25













  • Thank you for your reply. Yes, I agree with you, but unfortunately I'm not able to change database structure.

    – Stan
    Jan 3 at 10:33











  • I'd suggest replacing ../ and .., since .. by itself could be part of a valid filename like "abc..xyz.txt"

    – jhilgeman
    Jan 3 at 20:06














0












0








0








I want to allow users read files in their directory (and subdirectories) with GET param. I have to secure this part of code, so they cannot go to upper directories with two dots. Will it be enough?



$filePath = $userDir . '/' . str_replace( '..', '', $_GET['path'] );



if(!is_file($filePath)) {

    die();

}



readfile($filePath);





php security







share|improve this question














I want to allow users read files in their directory (and subdirectories) with GET param. I have to secure this part of code, so they cannot go to upper directories with two dots. Will it be enough?



$filePath = $userDir . '/' . str_replace( '..', '', $_GET['path'] );



if(!is_file($filePath)) {

    die();

}



readfile($filePath);





php security




php security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 3 at 10:24









StanStan

6




6








  • 3





    This may be personal preference, but I wouldn't let them choose the path at all (directly anyway). My suggestion is store the filenames (and fake path if you like) in a database, with a link to the real file on your filesystem. If they put in a valid file, then readfile the real file... if that makes sense.

    – Jonnix
    Jan 3 at 10:25













  • Thank you for your reply. Yes, I agree with you, but unfortunately I'm not able to change database structure.

    – Stan
    Jan 3 at 10:33











  • I'd suggest replacing ../ and .., since .. by itself could be part of a valid filename like "abc..xyz.txt"

    – jhilgeman
    Jan 3 at 20:06














  • 3





    This may be personal preference, but I wouldn't let them choose the path at all (directly anyway). My suggestion is store the filenames (and fake path if you like) in a database, with a link to the real file on your filesystem. If they put in a valid file, then readfile the real file... if that makes sense.

    – Jonnix
    Jan 3 at 10:25













  • Thank you for your reply. Yes, I agree with you, but unfortunately I'm not able to change database structure.

    – Stan
    Jan 3 at 10:33











  • I'd suggest replacing ../ and .., since .. by itself could be part of a valid filename like "abc..xyz.txt"

    – jhilgeman
    Jan 3 at 20:06








3




3





This may be personal preference, but I wouldn't let them choose the path at all (directly anyway). My suggestion is store the filenames (and fake path if you like) in a database, with a link to the real file on your filesystem. If they put in a valid file, then readfile the real file... if that makes sense.

– Jonnix
Jan 3 at 10:25







This may be personal preference, but I wouldn't let them choose the path at all (directly anyway). My suggestion is store the filenames (and fake path if you like) in a database, with a link to the real file on your filesystem. If they put in a valid file, then readfile the real file... if that makes sense.

– Jonnix
Jan 3 at 10:25















Thank you for your reply. Yes, I agree with you, but unfortunately I'm not able to change database structure.

– Stan
Jan 3 at 10:33





Thank you for your reply. Yes, I agree with you, but unfortunately I'm not able to change database structure.

– Stan
Jan 3 at 10:33













I'd suggest replacing ../ and .., since .. by itself could be part of a valid filename like "abc..xyz.txt"

– jhilgeman
Jan 3 at 20:06





I'd suggest replacing ../ and .., since .. by itself could be part of a valid filename like "abc..xyz.txt"

– jhilgeman
Jan 3 at 20:06












1 Answer
1






active

oldest

votes


















-1














Be careful here!



Even if you replace "../" and "..", make sure you do it recursively. Because if you don't, a malicious user can submit the following to bypass your security:



"..././"



$path = '..././';

var_dump(str_replace('../', '', $path));

// string(3) "../"


See the problem here?



You can use a do/while loop to sanitise the user input in a secure manner:



$path = '..././';



do {

    $path = str_replace(['../', '..\'], '', $path, $count);

} while ($count > 0);



var_dump($path);

// string(0) ""


But I'm with Jon on this. It's usually not a good idea to allow this, and avoid it whenever possible. Be as restrictive as you can with the filenames. Always prepend the user path instead of passing the full path via URL param.






share|improve this answer

























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54020366%2fis-str-replace-function-will-be-enough-to-secure-this-code%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    -1














    Be careful here!



    Even if you replace "../" and "..", make sure you do it recursively. Because if you don't, a malicious user can submit the following to bypass your security:



    "..././"



    $path = '..././';
    
var_dump(str_replace('../', '', $path));
    
// string(3) "../"


    See the problem here?



    You can use a do/while loop to sanitise the user input in a secure manner:



    $path = '..././';
    

    
do {
    
    $path = str_replace(['../', '..\'], '', $path, $count);
    
} while ($count > 0);
    

    
var_dump($path);
    
// string(0) ""


    But I'm with Jon on this. It's usually not a good idea to allow this, and avoid it whenever possible. Be as restrictive as you can with the filenames. Always prepend the user path instead of passing the full path via URL param.






    share|improve this answer






























      -1














      Be careful here!



      Even if you replace "../" and "..", make sure you do it recursively. Because if you don't, a malicious user can submit the following to bypass your security:



      "..././"



      $path = '..././';
      
var_dump(str_replace('../', '', $path));
      
// string(3) "../"


      See the problem here?



      You can use a do/while loop to sanitise the user input in a secure manner:



      $path = '..././';
      

      
do {
      
    $path = str_replace(['../', '..\'], '', $path, $count);
      
} while ($count > 0);
      

      
var_dump($path);
      
// string(0) ""


      But I'm with Jon on this. It's usually not a good idea to allow this, and avoid it whenever possible. Be as restrictive as you can with the filenames. Always prepend the user path instead of passing the full path via URL param.






      share|improve this answer




























        -1












        -1








        -1







        Be careful here!



        Even if you replace "../" and "..", make sure you do it recursively. Because if you don't, a malicious user can submit the following to bypass your security:



        "..././"



        $path = '..././';
        
var_dump(str_replace('../', '', $path));
        
// string(3) "../"


        See the problem here?



        You can use a do/while loop to sanitise the user input in a secure manner:



        $path = '..././';
        

        
do {
        
    $path = str_replace(['../', '..\'], '', $path, $count);
        
} while ($count > 0);
        

        
var_dump($path);
        
// string(0) ""


        But I'm with Jon on this. It's usually not a good idea to allow this, and avoid it whenever possible. Be as restrictive as you can with the filenames. Always prepend the user path instead of passing the full path via URL param.






        share|improve this answer















        Be careful here!



        Even if you replace "../" and "..", make sure you do it recursively. Because if you don't, a malicious user can submit the following to bypass your security:



        "..././"



        $path = '..././';
        
var_dump(str_replace('../', '', $path));
        
// string(3) "../"


        See the problem here?



        You can use a do/while loop to sanitise the user input in a secure manner:



        $path = '..././';
        

        
do {
        
    $path = str_replace(['../', '..\'], '', $path, $count);
        
} while ($count > 0);
        

        
var_dump($path);
        
// string(0) ""


        But I'm with Jon on this. It's usually not a good idea to allow this, and avoid it whenever possible. Be as restrictive as you can with the filenames. Always prepend the user path instead of passing the full path via URL param.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 5 at 11:06

























        answered Jan 5 at 10:59









        NicoNico

        11




        11
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54020366%2fis-str-replace-function-will-be-enough-to-secure-this-code%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Monofisismo

            Image
            Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
            Read more

            Angular Downloading a file using contenturl with Basic Authentication

            Image
            0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
            Read more

            Olmecas

            Image
            Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
            Read more