• 0

Help review a script?


Question

So I'm just looking through some scripts I have on my website, and one of them I'm actually using right now. It's a file-grabber which takes a file from a protected directory and gives it to the user. I wrote it a long time ago because the version I used previously had a gaping hole in it, and looking back at the version I'm using right now, it still seems like kind of a hacked-together job. I was wondering if you guys could take a look to see if there's any obvious security problems or ways I could improve the script.

what it's supposed to do:

the files are stored in a directory that is not accessible to the public. the script grabs that file and serves it to the user through itself. inside the private folder, there are numerous subfolders. the script is supposed to handle any number of levels of nested folders (just keep adding parameters to the url). here's an example:

http://cshen.ca/file.php?1=hs&2=ict12&f=game_blackjack&t=swf

the numbers are the folders, f is the file name, and t is the file type. the older version basically just took a link and grabbed whatever's there... which was a problem if you use "../". now as you can see from the source, it looks like a patchwork of code... in fact i'm pretty sure i had multiple references for it when i wrote that..

so...suggestions?

thanks!

Link to comment
Share on other sites

4 answers to this question

Recommended Posts

  • 0

Hey,

Im just having a look through your file to see if i can offer any advice.

how your passing the directory path seems odd to me.

it seems to me that it would be easier to have a single URL parameter that holds the path to the file?

Am i missing something here?

Link to comment
Share on other sites

  • 0

Hey,

Im just having a look through your file to see if i can offer any advice.

how your passing the directory path seems odd to me.

it seems to me that it would be easier to have a single URL parameter that holds the path to the file?

Am i missing something here?

yea, i did that before, but then i figured out that you can pass a link like "../secretfile.php" and grab anything off my website... i don't remember why i decided to go with this instead of filtering out any instances of two consecutive dots... =S

Link to comment
Share on other sites

  • 0

the files in which people are going to download, are they always going to be a certain set of file extensions?

if they are, you could put a list of the allowed extensions in, this way people wouldnt be able to download files they werent meant to download.

and if the files are always meant to be in a certain directory, like your private folder, you could have that automatically pre-fixed onto the parameter in the URL.

eg - file.php?path=folder1/f2&file=test&type=png

and in ur script it adds "private_folder" to the front of it?

not sure if that makes sense, or if it will work with what you want to do :(

Link to comment
Share on other sites

  • 0

the files in which people are going to download, are they always going to be a certain set of file extensions?

if they are, you could put a list of the allowed extensions in, this way people wouldnt be able to download files they werent meant to download.

and if the files are always meant to be in a certain directory, like your private folder, you could have that automatically pre-fixed onto the parameter in the URL.

eg - file.php?path=folder1/f2&file=test&type=png

and in ur script it adds "private_folder" to the front of it?

not sure if that makes sense, or if it will work with what you want to do :(

yea, that's what i did before, but a path like public_html/secret_folder/user/supplied/path/file.php could be exploited into public_html/secret_folder/../secret_file.php, whereas right now it's public_html/secret_folder/append/each/folder/name/file.php,

i guess i could just have a user supplied path and forbid two dots in sequence..

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.