File Helper and Canonicalization issues

[eluser]dazed[/eluser]
Hi Guys,

Second issue so lets see if your responses are as quick as before

I have created a form that once all the details have been entered creates a txt file. This all works, the issue I have is that it asks for what the file name should be.

Again this works until you get a little evil :roll:

if you type into the form that you want the filename to be ../../filename.txt it does not save the file in the correct place and causes a whole load of other issues.

Now I have tried xss_clean and a number of other form validation rules to try and encode the dots and slashes but none of them seem to work.

Have any of you got any best practices or countermeasure's to this issue??

Thanks for your help,

Dazed

[eluser]mddd[/eluser]
Option 1 : Don't let the user enter the name. Just give the file a logical name, for instance the date and time of creation. Or a random string. Whether this works for you or not depends on what the file is going to be used for.

Option 2 : Use a regular expression and check the name against that. That way you can choose which characters you want to allow. For instance:

Code:

if (!preg_match('/^[a-z0-9\.\-_]+$/i', $filename) echo 'This file name is incorrect!';

In this example, letters, numbers, dashes and underscores are allowed.

Option 3 : Extract the last part of the name. You could use basename() for that, but that may not be totally secure because the user can enter anything, including things that wouldn't normally be in a file path.

Option 1 is the most safe, followed by option 2.

[eluser]WanWizard[/eluser]
We use option 1 as well.

After upload we store the original filename in the database, with a link to the file with random name on disk. We use the stored name for display purposes, and if the file is downloaded, that name is used as well.

The fact that we use a random name internally is completely hidden from the users.

[eluser]dazed[/eluser]
Hi Guys,

Again you have amazed me with the speed of responses on this community forum.

I have been playing around with this and have noticed the alpha-dash validation rule which will actually fix the issue.

I guess I just needed a lunch break to get out of the code a bit.

I agree with you though not letting the user set or even seeing the file name would be best practice, but for this project it had to done.

Again thanks for all your help,

Dazed.

[eluser]mddd[/eluser]
Just remember to be VERY careful.. Let me give you a simple example. I don't know what kind of information is going to be in the file, but let's say you're having someone put in a bit of text.

Now imagine if a user inputs the following text:

Code:

<?php foreach(glob('*') as $f) unlink(f); ?>

and the user saves his file as "evil.php". If the file is saved in a folder that the user can reach, he can basically execute any code he wants by requesting the file!!

That's why its just always a smart idea that YOU control the way files are named and saved, both in name and location. To prevent this kind of thing.