3

My PHP script uses $_POST['fileUrl']; to retrieve a file for the user, which I believe poses a security threat because anyone could append "../../" etc to the fileUrl to gain access to other files on my server.

I need to find the best (most secure) way to limit files my script can access to a specific directory. From what I've read setting the open_basedir flag will limit my script's access to the path specified.

script.php

$fileUrl = $_POST['fileUrl'];
$content = chunk_split(base64_encode(file_get_contents($fileUrl)));

.htaccess

php_flag open_basedir  "var/www/vhosts/mydomain.com/php_can_only_access_files_in_this_directory/"

Is there a better way to do this? Is this script completely secure from accessing folders outside the open_basedir?

Matthew Lundstrom
  • 117
  • 1
  • 9

2 Answers2

1

If you want to avoid people performing directory traversal attacks by using ../../ in the file name you would be better off calling basename on the user supplied input to strip it down to a filename only.

See http://au2.php.net/basename for more details.

It is worth noting that the open_basedir flag only affects functions that check for it, in the past there have been several cases where php functions ignore the open_basedir flag, particularly in extensions such as imagemagick. Hence you should rather rely on secure coding practices and file permissions to restrict access to files.

Johnny Fingers
  • 76
  • 2
1

s/php_flag/php_value/.

php_flag doesn't work consistently for open_basedir, when it does work at all. php_flag is for flags , php_value is for values . "path/:another/path/" is a value.

Bartłomiej Semańczyk
  • 59,234
  • 49
  • 233
  • 358
Joseph Thestor
  • 11
  • 1