advise on securing php from directory traversal

Asked Mar 31 '17 at 08:10

Active Mar 31 '17 at 08:10

Viewed 108 times

I have the following script to secure a page from directory traversal attack:

function secure_file_path($file_path){
    preg_match('/(wp\-content\/themes|wp\-content\/plugins)/', $file_path, $matches);
    if(count($matches) > 0){
        preg_match('/(\/*\.{2}\/*)/', $file_path, $dir_traversal);
        if(count($dir_traversal) > 0){
            return false;
        }
        return true;
    }
    return false;
}

secure_file_path() was called before I am running DirectoryIterator to check if there is a string of wp-content/plugins or wp-content/themes and also check for ... But is this secure enough?

PS: example input of $file_path could be /home/linux_user/www/wp-content/themes/ltru/../../../../../../etc/passwd

asked Mar 31 '17 at 08:10

Dariel Pratama

1,607
3
18
49

1

have a look at http://stackoverflow.com/questions/4205141/preventing-directory-traversal-in-php-but-allowing-paths – Chetan Ameta Mar 31 '17 at 08:15
1

the [`open_basedir`](http://php.net/manual/en/ini.core.php#ini.open-basedir) is safest. Set it with `ini_set()` (5.3+) – Deadooshka Mar 31 '17 at 10:11

advise on securing php from directory traversal

0 Answers0