Sanitize Path for PHP-Nuke
Date: Friday, October 31 @ 12:38:46 CET
Topic: Security


// Sanitize Path code from "Beginning PHP 4", ISBN: 1-861003-73-0
// Provided by http://nukecops.com - IACOJ
// Code prevents directory traversal, and is best placed in the mainfile.php.
// USAGE: $SanitizePath("../../../../config.php");
//              Returns "config.php" without the path traversal.  Simply pass it to a unset variable.

function SanitizePath($inpath) {
         $outpath = ereg_replace("\.[\.]+", "", $inpath);
         $outpath = ereg_replace("^[\/]+", "", $outpath);
         $outpath = ereg_replace)"^[A-Za-z][:\|][\/]?", "", $outpath);
         return($outpath);
}


This is a code snippet from the "Beginning PHP 4", ISBN: 1-861003-73-0. This was located by IACOJ and its something we need to start integrating into the mainfile.php. I'll be passing this or something similar to Francisco. Once this code, or similar is implemented, developers may start using it in blocks, modules, addons, etc which would help to prevent directory path traversal.


This article comes from NukeCops
http://www.nukecops.com

The URL for this story is:
http://www.nukecops.com/modules.php?name=News&file=article&sid=910