Ensure a user-defined path is safe in PHP

Question

I am implementing a simple directory listing script in PHP.

I want to ensure that the passed path is safe before opening directory handles and echoing the results willy-nilly.

$f = $_GET["f"];
if(! $f) {
    $f = "/";
}
// make sure $f is safe
$farr = explode("/",$f);
$unsafe = false;
foreach($farr as $farre) {
    // protect against directory traversal
    if(strpos($farre,"..") != false) {
        $unsafe = true;
        break;
    }
    if(end($farr) != $farre) {
        // make sure no dots are present (except after the last slash in the file path)
        if(strpos($farre,".") != false) {
            $unsafe = true;
            break;
        }
    }
}

Is this enough to make sure a path sent by the user is safe, or are there other things I should do to protected against attack?

You have your variables switched in the foreach() – Greg May 11 '09 at 09:17 — Greg, May 11 '09 at 09:17
:O Thanks for picking that up... – anonymous coward May 11 '09 at 09:18 — anonymous coward, May 11 '09 at 09:18

Tomalak · Accepted Answer · 2009-05-11T09:29:25.480

9

It may be that realpath() is helpful to you.

realpath() expands all symbolic links and resolves references to '/./', '/../' and extra '/' characters in the input path, and returns the canonicalized absolute pathname.

However, this function assumes that the path in question actually exists. It will not perform canonization for a non-existing path. In this case FALSE is returned.

edited May 11 '09 at 09:29

answered May 11 '09 at 09:21

Tomalak

306,836
62
485
598

So I perform realpath() on the passed path, and check if it is underneath my 'safe' directory? – anonymous coward May 11 '09 at 09:26
Exactly. Since you get a no-nonsense path back (or FALSE), you can do a simple substring compare as the check. – Tomalak May 11 '09 at 09:29

Ensure a user-defined path is safe in PHP

1 Answers1