Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Frank Mutze
March 29, 2006, 9:31 am
rate this thread
1. Validate the path and filename being downloaded
2. Don't run the webserver as root
3. Let Unix security help you.
Or, better yet - don't let them input the filename being downloaded. Rather,
give them a list of files and let them select. But don't give them the
filenames themselves - just descriptions. Look up the filenames when they
select which file they want to download.
Remove the "x" from my email address
JDS Computer Training Corp.
Use http://uk.php.net/realpath to convert it to a normal path and then use
one of the many string comparing functions to check it's within your
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos
Jerry already suggested a good way, but you can also try it with a checksum
to see that you did generate the filename by recalculating the check.
Say you'r filename is 'validfile.pdf'. You calculate a checksum for it, for
example by prepending a static password and md5'ing it.
$filename = 'validafile.pdf';
$checksum = md5($filename.'supercalifragislisticexpialidocious');
Then echo the link:
In download.php before outputting the file, you recalculate the checksum the
same way and compare it to given checksum
if they match, it was indeed a link you generated and a file you generated,
but if it was changed to something like
filename=../../../../../../../../../../../../etc/passwd then the checksums
do not match (or at least the possibility of a false file name matching is
near to non-existing)
I used a scrambler 'supercalifragislisticexpialidocious' here, because
simply md5'ing the filename can be reproduced, but by adding the secret
scrambling key you also ensure that a hacker doesn't outsmart you by also
md5'ing his filename. Without the correct scrambling key the md5 will be
different, and since it's one-way function, you can not reproduce the
scrambling key from the md5 hash.
They way Jerry suggested is easier, but this is another way to achieve it.
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirvi
firstname.lastname@example.org | Gedoon-S @ IRCnet | rot13(email@example.com)