Databases
StackOverflow2013
Postsdbo
POSecuring a PHP file manager from its users
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSecuring a PHP file manager from its users
    primarykey
    data
    text
    <p>Hello everyone, I'm developing a photo sharing web site using the <a href="http://www.codeigniter.com/" rel="nofollow noreferrer">CodeIgniter PHP framework</a>. The idea is that people could upload their photos, manage them (through some sort of file browser which allows them to create subfolders, drag files around, etc) and edit them (some basic things like resizing, rotating and cropping to start with, and later on, I'll add some advanced features).</p> <p>I've already implemented a third party authentication solution for CI (<a href="http://code.google.com/p/reduxauth/" rel="nofollow noreferrer">Redux Authentication 2 Beta</a>) and I'm now integrating a JS/PHP file manager (<a href="http://sourceforge.net/projects/ajax-explorer/" rel="nofollow noreferrer">AjaxExplorer</a>), but the problem is that the PHP backend for managing files (moving, copying, etc) is trusting too much on the user input from the ajax calls. For instance, it's doing things like this (simplified for the sake of clarity):</p> <pre><code>move_uploaded_file($_FILES['upload']['tmp_name'], $root.$username.$_POST['destination_dir']); </code></pre> <p>As you can see, there are obvious security concerns as it blindly accepts whatever path the user throws in! I can already see someone sending something like "../AnotherUser/" as the $_POST['destination_dir'] value.</p> <p>My question is: <strong>What's the best way to "sandbox" a user, in order to only allow him to manage his own data?</strong> Do I just validate+filter the inputs, hoping to catch every attempt of intrusion? Are there any libraries/packages dedicated to address this specific issue?</p> <p>I think this problem must be somehow solved in any (mature enough) project, which gives its users the power of managing their files through a web browser, so I expected to find some clear guidelines around this (as there are a lot about SQL Injection, XSS, CSRF, etc) but I guess I'm not using the right keywords.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USPaul Wicks
    1. USlima
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POSecuring a PHP file manager from its users
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POSecuring a PHP file manager from its users
      1. USDavid Kolar
      1. VTFavorite
    3. VO
      singulars
      1. POSecuring a PHP file manager from its users
      1. UStxyoji
      1. VTFavorite
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload