-1

I'm trying to modify a plugin so that image files from a directory can be deleted with an html link. My code spits out a table containing an image thumbnail, a link to the image, and a link to delete the file:

<?php                                                   
   $dirname = "../wp-content/themes/teenclub/images/slider/"; 
   $images = scandir($dirname); 
   $ignore = array(".", "..", ".DS_Store");

   foreach($images as $curimg){ 
       if(!in_array($curimg, $ignore)) {
       echo "<tr ><td><img width='200' src='$dirname$curimg'/></td><td><a href='$dirname$curimg'/>$curimg</a></td><td><a href='../wp-content/plugins/wp-easy-uploader/delete.php?file=$curimg'>Delete</a></td></tr>"; 
       };
   }                         
?>

delete.php:

<?php
$dir = '/Users/edmcmanwich/Desktop/TEMP/dev.teenclub.com';
$file = $dir.'/'.$_GET["file"];

if(is_writable($file)) {
  unlink($file);
} else {
  echo 'you dont have perms dude';
}
?>

I get the message saying I don't have permission but I've chmod all the files to 777. In addition MAMP's php_error.log give me this:

[01-Feb-2012 21:10:13] PHP Warning:  unlink(../wp-content/themes/teenclub/images/slider/kids.png) [<a href='function.unlink'>function.unlink</a>]: No such file or directory in /Users/edmcmanwich/Desktop/TEMP/dev.teenclub.com/wp-content/plugins/wp-easy-uploader/delete.php on line 4

The directory and file name are correct so I just don't understand what the problem is...

hakre
  • 193,403
  • 52
  • 435
  • 836
Nicholas Arehart
  • 135
  • 2
  • 13
  • 4
    OH JESUS CHRIST. **NEVER** DELETE FILES WITH A GET REQUEST. – Ignacio Vazquez-Abrams Feb 02 '12 at 05:34
  • 1
    Just to add a voice of reason, this breaks nearly every best practice I know about. You should never use GET for actions that have side effects. For more information see [RFC2616 Section 9](http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) `convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval` – Devin M Feb 02 '12 at 05:40
  • Okay, well, I kind of knew this wasn't a very secure way to go about this. Can you guys point me in the direction of something more appropriate? – Nicholas Arehart Feb 02 '12 at 05:57
  • 1
    A POST request via JavaScript with XSS prevention. – Ignacio Vazquez-Abrams Feb 02 '12 at 06:18

2 Answers2

0

You must have the directories wrong.

unlink shows a file location of ../wp-content/themes/teenclub/images/slider/kids.png yet your directory is set as /Users/edmcmanwich/Desktop/TEMP/dev.teenclub.com. So, your full path should be /Users/edmcmanwich/Desktop/TEMP/dev.teenclub.com/../wp-content/themes/teenclub/images/slider/kids.png (or /Users/edmcmanwich/Desktop/TEMP/dev.teenclub.com/kids.png according to your source), which isn't the case according to your error message.

Run echo getcwd(); to see what directory your delete script is running at, you should see that the file path is incorrect. Or, the file was already deleted and is therefore does not exist.

Also, this is horribly insecure, as anybody can pass anything they want to $_GET['file'] and potentially delete the file. For example, if you screwed with the permissions on /etc/passwd, somebody could delete it with ../../../../../../../../../../../../etc/passwd.

nickb
  • 59,313
  • 13
  • 108
  • 143
0

Well, you already know that this is bad practice however the issue your running in to most likely involves your use of a relative path.

Try wrapping the file path with realpath and see if that fixes the problem. Also be aware that if realpath is called with a null argument it will return the current directory which you would most certainly not want to delete.

For more information see the documentation for unlink and the file:// protocol.

Devin M
  • 9,636
  • 2
  • 33
  • 46