Is this enough to stop Path Traversal?

[SarahBear]

Hello.  Recently I've run into a bit of an issue with Path Traversal.  I was searching a bit on solutions to it, but all I could find were sites telling you to fix it, and not showing examples of how.  So, I've been running a few tests and seem to have the majority fixed.  At least, the ones on Owasp's examples don't work.

 

I am making a file manager, so they can browse the public_html all they want.  I just don't want anyone using ../, or the document root to browse through anything other than through the public_html.

 

So, here is the solution I have found that seems to work on everything I have seen:

<?php
// Seems to solve plain-text, encoded, and null bytes
$replace = array("%", "..");
$file = str_replace($replace, "", $_GET['file']);
 
// ./ at the beginning to stop DOCUMENT_ROOT travel
echo show_file_contents("./".$file);
?>

And this is how the path is set up for file_get_contents to access:

<?php
function show_file_contents($file) {
 
    $path = $_SERVER['DOCUMENT_ROOT']."/".$file;
 
}
?>

My question is:  Does this fully stop any directory traversal attempt?

Edited November 9, 2014 by SarahBear

[ginerjm]

Forgive me this change of topic, but why on earth would anyone want to provide universal access to the entire root folder(and therefore its subs) of one's site?  I can see providing access to a subset of folder(s) that contain documents or images or some collection of files, but the whole site?

 

Perhaps the easy way to prevent your problem would be to just supply a list of eligible folders displayed in some visually-appealing format and let people click on the name they wish to see?  That is, if you don't have second thoughts about the whole idea.

Edited November 9, 2014 by ginerjm

[SarahBear]

It's not to be used on my site.  It's an open source file manager.

[ginerjm]

I would think that any 'open source file manager' (?) would provide access to (again) 'a subset of folders' and NOT the public_html folder where the manager itself might reside as well as any other application files.  Pardon my asking but you do realize the significance of the 'public_html' folder?

[kicken]

realpath

 

Use that to resolve any path given into an absolute path, then verify that the result begins with an allowed prefix.

 

$prefix = $_SERVER['DOCUMENT_ROOT'];
$path = realpath($_GET['path']);
if ($path && strncmp($path, $prefix, strlen($prefix)==0){
  //ok
}

Something like that.

[SarahBear]

I would think that any 'open source file manager' (?) would provide access to (again) 'a subset of folders' and NOT the public_html folder where the manager itself might reside as well as any other application files.  Pardon my asking but you do realize the significance of the 'public_html' folder?

What's the difference between that and any other file manager such as fully-featured cPanel, which lets you go higher up?  Not to be rude, but this isn't a debate about whether there are issues or not.  The script itself is securely password protected, brute force protected, CSRF protected, etc.  They can customize it however they want if they don't want it to access public_html.

 

Thank you very much, kicken.