M.O.S. Studios Posted January 13, 2009 Share Posted January 13, 2009 hey guys i have made this image uploading script and discovered a problem, if some one wants to make a dir or upload to a dir outside of the upload dir all they have to type is upload/../ can anyof you think of a way to stop this? <?php //uploading images if($_POST['sent']) { for ($i=1; $i<=$_POST['sent']; $i++) { $image="image".$i; if(basename($_FILES[$image]["name"])) { if($_FILES[$image]["type"] != "image/pjpeg" && $_FILES[$image]["type"] != "image/jpeg" || file_exists($_POST['location']."/".$_FILES[$image]["name"])) { if($_FILES[$image]["type"] != "image/pjpeg" && $_FILES[$image]["type"] != "image/jpeg"){echo "Error: ".$_FILES[$image]["name"]." must be a Jpeg."."<br>"."\n";} if(file_exists($_POST['location']."/".$_FILES[$image]["name"])){echo "Error: A file with the name ".$_FILES[$image]["name"]." is already Present "."<br>"."\n";} } else { if(move_uploaded_file($_FILES[$image]["tmp_name"],$_POST['location']."/".$_FILES[$image]["name"])) { echo $_FILES[$image]["name"]." stored in: ".$_POST['location']."<br>"."\n"; } else { echo basename($_FILES[$image]["name"])."Error: " . $_FILES[$image]["error"] . "<br />"; } } } } } //creating new dirs if($_POST['mkdir'] && substr($_POST['change'], 0, 7)=="upload/") { mkdir($_POST['change'], 0700); } else { echo "All new Directories must be made within the upload folder"; } // setting defaults $directory = "upload"; $uploads=5; // Checking for new values if($_POST['uploads']){$uploads=$_POST['uploads'];} if($_POST['directory'] && $_POST['directory']!="upload") { $directory = $_POST['lower']."/".$_POST['directory']; } if($_POST['change'] && substr($_POST['change'], 0, 6)=="upload") { $directory = $_POST['change']; } //Opening the directory; $dir = opendir($directory); ?> <form method="POST" action="account.php?actions=addpic"> <?php echo "<i>PATH:</i> <input type='text' size='100%' name='change' value='".$directory."'><input type='submit' id='submitb' value='Change dir'><input type='submit' id='submitb' name='mkdir' value='Make dir'><br>"; ?> <a href='account.php?actions=addpic'><i>root</i></a> <br> </form> <form method="POST" action="account.php?actions=addpic"> <?php //displaying directory contents while($file = readdir($dir)) { if($file!="." && $file != "..") { if(!stristr($file, ".")) { $dirs .="->".$directory."/<input type='submit' id='submitb' name='directory' value='".$file."'>"."<br>"."\n"; } else { $files .=$file."\n"; } } } echo $dirs; ?> <center> <textarea rows='10' cols='50' readonly><?php echo $files; ?></textarea> </center> <input type="hidden" value="<?php echo $directory; ?>" name="lower"> <input type="hidden" value="<?php echo $uploads; ?>" name="uploads"> </form> <?php // Uploading options; ?> <form action='account.php?actions=addpic' method="POST" enctype="multipart/form-data"> <?php for ($i=1; $i<=$uploads; $i++) { echo "<input type='file' name='image".$i."'>"."<br>"."\n"; } ?> <input type="submit" value="upload"> <input type="hidden" name="location" value="<?php echo $directory; ?>"> <input type="hidden" name="sent" value="<?php echo $uploads; ?>"> </form> <form action='account.php?actions=addpic' method="POST"> <input type="submit" value="Number of upload boxs:"> <select name="uploads"> <option>1</option> <option>2</option> <option>3</option> <option>4</option> <option>5</option> <option>6</option> <option>7</option> <option>8</option> <option>9</option> <option>10</option> <option>11</option> <option>12</option> <option>13</option> <option>14</option> <option>15</option> <option>16</option> <option>17</option> <option>18</option> <option>19</option> <option>20</option> <select> </form> thanks in advance Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/ Share on other sites More sharing options...
premiso Posted January 13, 2009 Share Posted January 13, 2009 Filter $_POST['location']. What is suppose to be passed to it/how should it be structured? Do you really need to send the dir location over post? Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736426 Share on other sites More sharing options...
M.O.S. Studios Posted January 13, 2009 Author Share Posted January 13, 2009 what do you suggest instead? Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736427 Share on other sites More sharing options...
premiso Posted January 13, 2009 Share Posted January 13, 2009 Well if you want the user to be able to create their own directory name, I would use REGEX to make sure that the name only contains valid characters. preg_match('/(^[a-z0-9]*)/i', $_POST['location'], $matches); if ($matches[1] != $_POST['location']) $error = "Location must contain only Aplha Numeric (abc123) characters."; That way they cannot have .. or / or ' etc in the dir name. Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736429 Share on other sites More sharing options...
M.O.S. Studios Posted January 13, 2009 Author Share Posted January 13, 2009 very cleaver!!! i should have thought of that right away!! thanks guys Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736431 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.