character encoding - Is ASCII "../" the only byte sequence that indicates a directory traversal in PHP? -
I have a PHP app on which to select JS / CSS files $ _ GET
The parameter uses the file system.
If I deny all requests in which the input string is a byte in ./
, \
or 7-bit ASCII range The PHP's underlying (C-based) file function is passed to the path when it is enough to prevent parent directory traverses?
I know, but there are no other alternative / perverse character encoding tricks which might scream from these checks?
Here is the basic idea (not the production code):
$ f = $ _GET ['f']; Eg eg "Path / Ko / file.js" // Goal: Select only CD / JS files within DOC_ROOT (Except! Preg_match ('@ ^ [\ x20- \ x7E] + $ @', $ f) // External Visual ASCII false! == Straps ($ F, "./") // is /. False! == Stropo ($ F, "\\") // has \ \ = 0 === Stropo (bassname ( $ F), ".") // .isHiddenFile ||! Preg_match ('@ \\. (CSS | JS) $ i @', $ f) // No JS / CSS ||! Is_file ($ _ SERVER ['DOCUMENT_ROOT']. '/'. $ F)) {dead (); } $ Content = file_get_contents ($ _ SERVER ['DOCUMENT_ROOT']. '/'. $ F); My question is really how the filesystem interprets anecdant ASCII sequences (for example, if ADAC is indexed escape), but I Know that it is possible to be system-based and perhaps inattentive in practice.
, Ensuring that the file is within DOC_ROOT, but the goal of this posting was realpath ()
(it proved unreliable in various environments), while still uncommon but valid URIs like / ~ User / [my files] /file.plugin.js
.
You mention yourself, but the known route is the input of the reality
Comparing it to the best solution that I can think of will solve any hidden attributes of Realpath Path / File System, which will include Simulink.
Comments
Post a Comment