Home/ Questions/Q 1004753
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T08:11:03+00:00

The url would be something like this: www.example.com/index.php?file=myFile.ext The filtering would only allow leters

  • 0

The url would be something like this:

www.example.com/index.php?file=myFile.ext

The filtering would only allow leters and numbers in the file, and only one dot.

The filtering would not give characters from the input to the file functions, instead, on for every allowed character it matches in an internal array, it copies the character from the internal array, and not the character from the input.

Ex:

if( isset(MyArray[inputChar]))
    $fileName .= MyArray[inputChar]

This is especially to protect against weird encoding bugs, php bugs etc

The full example bellow (I used array_search() instead of isset()):

//split it to array of chars
 $imputCharacters = str_split($_GET["file"]);

 //splits it to array like this: [0] => 'a', [1] => 'b', etc 
 $allowedCharacters = str_split('1234567890abcdefghijklmnopqrstuvwxyz.ABCDEFGHIJKLMNOPQRSTUVWXYZ');

 $file = '';
 $dots = 0;

  foreach ($imputCharacters as $char) 
 {
   $indexKey = array_search($char, $allowedCharacters, true);
   if($indexKey === false) 
  {
   die(__FILE__ . __LINE__); // disalowed character
  }
  else 
  {
   if ($allowedCharacters[$indexKey] === '.') { 
    $dots++;
    if($dots > 1) {
     die(__FILE__ . __LINE__); //only one dot allowed
    }
   }
   $file .= $allowedCharacters[$indexKey];
  }   
  }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Some other things you might want to watch out for:
    Opening hidden files. You might not want to open your .svn or .hg files (Source control files).
    URLs are case insensitive but they’re case sensitive on the file system, so somehow accomodate for that?
    Certain file names might having special meaning to the operating system? Such as the user providing a string that can be automatically decoded into something else on the filesystem?
    Are you looking our for character encoding bugs? The user might supply the text in a specific encoding, which could be interpreted differently by the operating systems character encoding scheme.
    Does the file exist?
    Does it have some weird flag on it (Read-Only, Write-Only)?
    Is the file readable by the web server’s user account? I’ve run into issues with UNIX based systems where files are not readable by the www_root account that apache runs as.
    I don’t know how many of these are likely, just some things I’ve run across trying to solve similar problems.

    • 0