Is RealPath safe?

Question

Is RealPath safe?

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
$page = realpath('pages/'.$_GET['p'].'.php');
$tpl = realpath('templates/'.$_GET['p'].'.html');
if ($page && $tpl) {
    include $page;
    include $tpl;
} else {
    include('error.php');
}
}
?>

How safe is it to say?

0

php realpath

Kraple 28 Mar '09 at 13:59

source to share

7 replies

Chinoto Vokro · Answer 1 · 2012-09-11T00:07:40+0000

I use this for a template file, so it can include "pages" instead of cluttering one file with many functions / lines / switches / elseif (choose) or create many files using the same location.

It checks if the realpath should include the directory, and if it should be included in the real path of the file, which should be included, if the real path of the file starts from the include directory, it can be included.

<?
#If you're worried about funky characters messing with stuff, use this
#preg_replace("/[^A-Za-z0-9_\-]+/","",$str);

if (isset($_REQUEST['page'])) {
    $path=realpath("../inc/page").DIRECTORY_SEPARATOR;
    $full_page=realpath($path.$_REQUEST['page'].".php");
    if (file_exists($full_page)&&(strpos($full_page,$path)===0)) {
        include($full_page);
    } else {
        echo "FAILED";
    }
}
?>

vartec · Answer 2 · 2009-03-28T15:20:13+0000

Well, realpath

it doesn't actually provide any security in this case. In fact, this is the case when it is impractical, since it will include

internally expand the path. Your safety here actually depends on preg_match

. Note, however, that the regex you are using will not allow you to use any page with an uppercase letter with an underscore or dash.

Anyway, I don't think it is a good idea to include files based on the parameters passed in the request. There is something wrong with your design if you need it.

Henrik Paul · Answer 3 · 2009-03-28T14:11:01+0000

realpath will not help you with this instance, as it include

can resolve the page path to the same file, whether it is realpath'd or the original sibling. It "seems" really, but I wouldn't trust this snippet personally. I'm sure someone knows how to neatly enter a null character into the input, breaking the chaos before the line ends.

To be on the safe side, what you need to do is keep a whitelist (or blacklist if better suited but prefers whitelisting) of all allowed entries / pages.

Itay Moav -Malimovka · Answer 4 · 2009-03-28T14:19:07+0000

It seems to be safe ...

But ineffective. In MVC, you have a controller and settings view and preview. There is no point in doing a stat to check if the view / controller exists.

Stefan Gehrig · Answer 5 · 2009-03-29T10:40:22+0000

realpath()

will indeed have some effect in this case, as it will return FALSE

if the target file doesn't exit. But as other posters have said, this won't add any security to the code.

It is rather a way to handle errors if the assigned files do not exist.

Paweł Hajdan · Answer 6 · 2009-04-03T09:34:40+0000

Better to run basename () on $ _GET ['p']. There is definitely no directory traversal workaround.

0

Paweł Hajdan 03 Apr '09 at 9:34

source to share

Brian Vandenberg · Answer 7 · 2013-02-27T22:12:02+0000

I can't comment on the actual PHP trajectory, but if it's just a wrapper for the system's realpath function, then one thing to be aware of: on some systems (Solaris for example), if a process gets signaled when realpath executes it 'll return an empty string ... in this case, you will need to make sure your code is configured to handle this type of situation (unless the PHP implementation resolves this dilemma for you)

Is RealPath safe?

More articles: