0

I don't know much about php but i need some script that enables me to download a file via parameter. Files all end with, lets say .dat. So what i do is

    $id = $_POST['id'];

    $searchparam = sprintf("%s.dat", $id);

    $files = glob($searchparam);

Now i could think of something that someone would add a path like '../../' and then is able to download some file from root but there are no .dat files there. But maybe someone could somehow bypass the ending and download any file of their choosing.

Often it is suggested to do preg_replace('/[^-a-zA-Z0-9_]/' but then someone said that one could use hex-numbers that would then be interpreted into special characters.

Often i read that i should not sanitize the input but rather make sure the parameter is properly put into the command.

So how vulnerable is my script or the glob command?

NikkyD
  • 2,057
  • 1
  • 13
  • 29
  • You could also forbid users to type `..` – Daan Nov 05 '15 at 13:42
  • You can simply cast your input to integer: `$id = (int)$_POST['id'];` - and YES, you NEED to sanitize your post parameter. – pmayer Nov 05 '15 at 13:50
  • @PatrikMayer an id can also have letters – jmattheis Nov 05 '15 at 13:53
  • user is not inputting this, but that doesnt stop someone from calling the php with their own application/client. The id consists of letters and numbers. – NikkyD Nov 05 '15 at 13:54
  • No, it could not. See [Wikpedia:Integer](https://en.wikipedia.org/wiki/Integer_%28computer_science%29). Integers are 1,2,3, etc (signed/unsigned). If you want to allow alphanumeric filenames you maybe want to only allow a-z and 0-9 as valid characters. You can acomplish this by using [preg_match()](http://php.net/manual/de/function.preg-match.php). – pmayer Nov 05 '15 at 13:56
  • Have a read on the first answer on this question: http://stackoverflow.com/questions/3126072/what-are-the-best-php-input-sanitizing-functions – pmayer Nov 05 '15 at 15:14
  • Also sorry, that I understood you wrong. You can sanitize the input with `filter_var()` as stated in the linked question. BUT you have to make sure no one can read files on the server you don't want to. You can check with `is_file()` but this will also be true for `/etc/passwd`. The only possibility is to narrow the allowed chars which come from the user input. So don't allow an `/`, don't allow an `*`, etc... – pmayer Nov 05 '15 at 15:18

0 Answers0