So I'm just looking through some scripts I have on my website, and one of them I'm actually using right now. It's a file-grabber which takes a file from a protected directory and gives it to the user. I wrote it a long time ago because the version I used previously had a gaping hole in it, and looking back at the version I'm using right now, it still seems like kind of a hacked-together job. I was wondering if you guys could take a look to see if there's any obvious security problems or ways I could improve the script.
what it's supposed to do:
the files are stored in a directory that is not accessible to the public. the script grabs that file and serves it to the user through itself. inside the private folder, there are numerous subfolders. the script is supposed to handle any number of levels of nested folders (just keep adding parameters to the url). here's an example:
the numbers are the folders, f is the file name, and t is the file type. the older version basically just took a link and grabbed whatever's there... which was a problem if you use "../". now as you can see from the source, it looks like a patchwork of code... in fact i'm pretty sure i had multiple references for it when i wrote that..
Question
primexx
So I'm just looking through some scripts I have on my website, and one of them I'm actually using right now. It's a file-grabber which takes a file from a protected directory and gives it to the user. I wrote it a long time ago because the version I used previously had a gaping hole in it, and looking back at the version I'm using right now, it still seems like kind of a hacked-together job. I was wondering if you guys could take a look to see if there's any obvious security problems or ways I could improve the script.
what it's supposed to do:
the files are stored in a directory that is not accessible to the public. the script grabs that file and serves it to the user through itself. inside the private folder, there are numerous subfolders. the script is supposed to handle any number of levels of nested folders (just keep adding parameters to the url). here's an example:
the numbers are the folders, f is the file name, and t is the file type. the older version basically just took a link and grabbed whatever's there... which was a problem if you use "../". now as you can see from the source, it looks like a patchwork of code... in fact i'm pretty sure i had multiple references for it when i wrote that..
so...suggestions?
thanks!
Link to comment
Share on other sites
4 answers to this question
Recommended Posts