Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File Class - realpath($path) on local version fails (xampp) #200

Open
vanHeerwaarden opened this issue Aug 17, 2024 · 1 comment
Open

File Class - realpath($path) on local version fails (xampp) #200

vanHeerwaarden opened this issue Aug 17, 2024 · 1 comment

Comments

@vanHeerwaarden
Copy link

vanHeerwaarden commented Aug 17, 2024
edited
Loading

Working on local versions of my apps are causing problems.
I like the new File class. So I'm happy I solved the problem by adding a few extra lines of code.(see solution)

I use it by calling $this->file->create_directory($directory_path, $permissions, $recursive); from one of my modules
Only the Trongate code fails by $normalized_path = realpath($path);. Because it gives an empty result.

image
@vanHeerwaarden
Copy link
Author

SOLUTION
My solution is working, but need some work:
Mainly I add some extra code in our FILE Class for realpath to work:

public function create_directory(string $directory_path, int $permissions = 0755, bool $recursive = true): bool {
        if (file_exists($directory_path)) {
            return true;
        }
        // Validate the path to ensure it's allowed based on predefined security rules
        if (!$this->is_path_valid($directory_path)) {
            throw new Exception("Access to this path is restricted: $directory_path");
        }
        if (!mkdir($directory_path, $permissions, $recursive)) {
            throw new Exception("Failed to create directory: $directory_path");
        }
        return true;
    }
  1. remove not existing folder in string
  2. add realpath($dir) to check restricted folders
  3. add realpath(APPPATH) to check avoid external access
  4. Attention the folder will be made and the second time leave on file_exists($directory_path)! :)
 private function is_path_valid(string $path): bool {
        $restricted_dirs = [APPPATH . 'config', APPPATH . 'engine', APPPATH . 'templates'];
        $url_segments = explode('/',$path);
        //STANDARD FOLDER UNDER PUBLIC        
        $url_parent= APPPATH."public/";  
        //STANDARD FOLDER UNDER ASSETS 
        //TODO $url_parent= APPPATH."/".xxxx."assets/";  
        
        // remove not existing folder in string 
        for ($i=0; $i < count($url_segments)-1 ; $i++) { 
            if($i !== count($url_segments)-2){
                $url_parent .= $url_segments[$i]."/";
            }else{
                $url_parent .= $url_segments[$i];
            }       
        }       
        $normalized_path = realpath($url_parent);            

        // Check if the path is in a restricted directory       
        foreach ($restricted_dirs as $dir) {            
            if (strpos($normalized_path, realpath($dir)) === 0) {                
                return false; // Path is inside a restricted directory
            }
        }          
        // Prevent manipulation of any files or directories directly under APPPATH 
        $relative_path = str_replace(APPPATH, '', $normalized_path); 
                
        if (strpos($relative_path, DIRECTORY_SEPARATOR) === false) {            
            return false; // Path is directly under the root directory
        }
        // Ensure the path is within the application directory to avoid external access
        if (strpos($normalized_path, realpath(APPPATH)) !== 0) {            
            return false;
        }
        return true;
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vanHeerwaarden