M.O.S. Studios Posted January 13, 2009 Share Posted January 13, 2009 hey guys i have made this image uploading script and discovered a problem, if some one wants to make a dir or upload to a dir outside of the upload dir all they have to type is upload/../ can anyof you think of a way to stop this? <?php //uploading images if($_POST['sent']) { for ($i=1; $i<=$_POST['sent']; $i++) { $image="image".$i; if(basename($_FILES[$image]["name"])) { if($_FILES[$image]["type"] != "image/pjpeg" && $_FILES[$image]["type"] != "image/jpeg" || file_exists($_POST['location']."/".$_FILES[$image]["name"])) { if($_FILES[$image]["type"] != "image/pjpeg" && $_FILES[$image]["type"] != "image/jpeg"){echo "Error: ".$_FILES[$image]["name"]." must be a Jpeg."."<br>"."\n";} if(file_exists($_POST['location']."/".$_FILES[$image]["name"])){echo "Error: A file with the name ".$_FILES[$image]["name"]." is already Present "."<br>"."\n";} } else { if(move_uploaded_file($_FILES[$image]["tmp_name"],$_POST['location']."/".$_FILES[$image]["name"])) { echo $_FILES[$image]["name"]." stored in: ".$_POST['location']."<br>"."\n"; } else { echo basename($_FILES[$image]["name"])."Error: " . $_FILES[$image]["error"] . "<br />"; } } } } } //creating new dirs if($_POST['mkdir'] && substr($_POST['change'], 0, 7)=="upload/") { mkdir($_POST['change'], 0700); } else { echo "All new Directories must be made within the upload folder"; } // setting defaults $directory = "upload"; $uploads=5; // Checking for new values if($_POST['uploads']){$uploads=$_POST['uploads'];} if($_POST['directory'] && $_POST['directory']!="upload") { $directory = $_POST['lower']."/".$_POST['directory']; } if($_POST['change'] && substr($_POST['change'], 0, 6)=="upload") { $directory = $_POST['change']; } //Opening the directory; $dir = opendir($directory); ?> <form method="POST" action="account.php?actions=addpic"> <?php echo "<i>PATH:</i> <input type='text' size='100%' name='change' value='".$directory."'><input type='submit' id='submitb' value='Change dir'><input type='submit' id='submitb' name='mkdir' value='Make dir'><br>"; ?> <a href='account.php?actions=addpic'><i>root</i></a> <br> </form> <form method="POST" action="account.php?actions=addpic"> <?php //displaying directory contents while($file = readdir($dir)) { if($file!="." && $file != "..") { if(!stristr($file, ".")) { $dirs .="->".$directory."/<input type='submit' id='submitb' name='directory' value='".$file."'>"."<br>"."\n"; } else { $files .=$file."\n"; } } } echo $dirs; ?> <center> <textarea rows='10' cols='50' readonly><?php echo $files; ?></textarea> </center> <input type="hidden" value="<?php echo $directory; ?>" name="lower"> <input type="hidden" value="<?php echo $uploads; ?>" name="uploads"> </form> <?php // Uploading options; ?> <form action='account.php?actions=addpic' method="POST" enctype="multipart/form-data"> <?php for ($i=1; $i<=$uploads; $i++) { echo "<input type='file' name='image".$i."'>"."<br>"."\n"; } ?> <input type="submit" value="upload"> <input type="hidden" name="location" value="<?php echo $directory; ?>"> <input type="hidden" name="sent" value="<?php echo $uploads; ?>"> </form> <form action='account.php?actions=addpic' method="POST"> <input type="submit" value="Number of upload boxs:"> <select name="uploads"> <option>1</option> <option>2</option> <option>3</option> <option>4</option> <option>5</option> <option>6</option> <option>7</option> <option>8</option> <option>9</option> <option>10</option> <option>11</option> <option>12</option> <option>13</option> <option>14</option> <option>15</option> <option>16</option> <option>17</option> <option>18</option> <option>19</option> <option>20</option> <select> </form> thanks in advance Quote Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/ Share on other sites More sharing options...
premiso Posted January 13, 2009 Share Posted January 13, 2009 Filter $_POST['location']. What is suppose to be passed to it/how should it be structured? Do you really need to send the dir location over post? Quote Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736426 Share on other sites More sharing options...
M.O.S. Studios Posted January 13, 2009 Author Share Posted January 13, 2009 what do you suggest instead? Quote Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736427 Share on other sites More sharing options...
premiso Posted January 13, 2009 Share Posted January 13, 2009 Well if you want the user to be able to create their own directory name, I would use REGEX to make sure that the name only contains valid characters. preg_match('/(^[a-z0-9]*)/i', $_POST['location'], $matches); if ($matches[1] != $_POST['location']) $error = "Location must contain only Aplha Numeric (abc123) characters."; That way they cannot have .. or / or ' etc in the dir name. Quote Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736429 Share on other sites More sharing options...
M.O.S. Studios Posted January 13, 2009 Author Share Posted January 13, 2009 very cleaver!!! i should have thought of that right away!! thanks guys Quote Link to comment https://forums.phpfreaks.com/topic/140705-solved-my-file-uploading-challenge/#findComment-736431 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.