I have the following script to secure a page from directory traversal attack:
function secure_file_path($file_path){
preg_match('/(wp\-content\/themes|wp\-content\/plugins)/', $file_path, $matches);
if(count($matches) > 0){
preg_match('/(\/*\.{2}\/*)/', $file_path, $dir_traversal);
if(count($dir_traversal) > 0){
return false;
}
return true;
}
return false;
}
secure_file_path()
was called before I am running DirectoryIterator
to check if there is a string of wp-content/plugins
or wp-content/themes
and also check for ..
. But is this secure enough?
PS: example input of $file_path
could be /home/linux_user/www/wp-content/themes/ltru/../../../../../../etc/passwd