I have a question. I got a PHP script (PHP 5) which is saving a URL-Parameter $_GET['file']
to the variable $file
. Is there now a way to check if this variable is a valid filename (for example: hello.txt
and not /../otherdir/secret.txt
). Because without checking the $file variable a hacker would be able to use the /../
to get to my parent folder.
POSIX "Fully portable filenames" lists these: A-Z
a-z
0-9
.
_
-
Use this code to validate the filename against POSIX rules using regex:
/
- forward slash (if you need to validate a path rather than a filename)\w
- equivalent of [0-9a-zA-Z_]
-
.
- dash dot space$filename = '../../test.jpg';
if (preg_match('/^[\/\w\-. ]+$/', $filename))
echo 'VALID FILENAME';
else
echo 'INVALID FILENAME';
If you want to ensure it has no path (no forwardslash) then change the regex to '/^[\w\-. ]+$/'
.
Instead of checking valid characters why not looking for character you don't want. Also filenames are limited to 255 characters:
function valid_filename(string $filename)
{
if (strlen($filename) > 255) { // no mb_* since we check bytes
return false;
}
$invalidCharacters = '|\'\\?*&<";:>+[]=/';
if (false !== strpbrk($filename, $invalidCharacters)) {
return false;
}
return true;
}
valid_filename('hello'); // true
valid_filename('hello.php'); // true
valid_filename('foo:bar.php'); // false
valid_filename('foo/bar'); // false
Adapt $invalidCharacters
according to your needs/OS.
Source: https://www.cyberciti.biz/faq/linuxunix-rules-for-naming-file-and-directory-names/
You may have a look in php's basename
function, it will return with filename, see example below:
$file = '../../abc.txt';
echo basename($file); //output: abc.txt
Note: basename
gets you the file name from path string irrespective of file physically exists or not. file_exists
function can be used to verify that the file physically exists.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With