Open vanHeerwaarden opened 2 months ago
SOLUTION My solution is working, but need some work: Mainly I add some extra code in our FILE Class for realpath to work:
public function create_directory(string $directory_path, int $permissions = 0755, bool $recursive = true): bool {
if (file_exists($directory_path)) {
return true;
}
// Validate the path to ensure it's allowed based on predefined security rules
if (!$this->is_path_valid($directory_path)) {
throw new Exception("Access to this path is restricted: $directory_path");
}
if (!mkdir($directory_path, $permissions, $recursive)) {
throw new Exception("Failed to create directory: $directory_path");
}
return true;
}
private function is_path_valid(string $path): bool {
$restricted_dirs = [APPPATH . 'config', APPPATH . 'engine', APPPATH . 'templates'];
$url_segments = explode('/',$path);
//STANDARD FOLDER UNDER PUBLIC
$url_parent= APPPATH."public/";
//STANDARD FOLDER UNDER ASSETS
//TODO $url_parent= APPPATH."/".xxxx."assets/";
// remove not existing folder in string
for ($i=0; $i < count($url_segments)-1 ; $i++) {
if($i !== count($url_segments)-2){
$url_parent .= $url_segments[$i]."/";
}else{
$url_parent .= $url_segments[$i];
}
}
$normalized_path = realpath($url_parent);
// Check if the path is in a restricted directory
foreach ($restricted_dirs as $dir) {
if (strpos($normalized_path, realpath($dir)) === 0) {
return false; // Path is inside a restricted directory
}
}
// Prevent manipulation of any files or directories directly under APPPATH
$relative_path = str_replace(APPPATH, '', $normalized_path);
if (strpos($relative_path, DIRECTORY_SEPARATOR) === false) {
return false; // Path is directly under the root directory
}
// Ensure the path is within the application directory to avoid external access
if (strpos($normalized_path, realpath(APPPATH)) !== 0) {
return false;
}
return true;
}
Working on local versions of my apps are causing problems. I like the new File class. So I'm happy I solved the problem by adding a few extra lines of code.(see solution)
I use it by calling
$this->file->create_directory($directory_path, $permissions, $recursive);
from one of my modules Only the Trongate code fails by$normalized_path = realpath($path);
. Because it gives an empty result.