adrian-enspired/filepath.md

Last active March 7, 2025 02:38

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/adrian-enspired/434212c1ca2353f4548ff9fb0e24c383.js"></script>
Save adrian-enspired/434212c1ca2353f4548ff9fb0e24c383 to your computer and use it in GitHub Desktop.

Raw

OK, so you have a filepath made from user input; something like

$path = __DIR__ . "/uploads/{$user_input_filename}"

#1: DO NOT DO THIS. Make up your own directory names. The user has no business picking path names on your server.

#2: Filesystem traversal is bad. If you mean for the given $user_input_filename to be inside the __DIR__ . "/uploads/ directory, take a moment to check.

<?php

$target_dir = realpath(__DIR__ . '/uploads');
$full_path = "{$target_dir}/{$user_input_filename}";
if ($full_path !== realpath($full_path)) {
    /* not a real file, or a relative path that doesn't go where you expect. bad! */
}

#3: see #1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment