file_check_location

Versions
4.6: file_check_location($source, $directory = 0)
4.7 – 6: file_check_location($source, $directory = '')

Check if a file is really located inside $directory. Should be used to make sure a file specified is really located within the directory to prevent exploits.

<?php

// Returns FALSE:
  file_check_location('/www/example.com/files/../../../etc/passwd', '/www/example.com/files');

?>

Parameters

$source A string set to the file to check.

$directory A string where the file should be located.

Return value

0 for invalid path or the real path of the source.

▸ 1 function calls file_check_location()

▾ 1 function calls file_check_location()

file_create_path in includes/file.inc: Make sure the destination is a complete path and resides in the file system directory, if it is not prepend the file system directory.

Code

includes/file.inc, line 180

<?php
function file_check_location($source, $directory = '') {
  $check = realpath($source);
  if ($check) {
    $source = $check;
  }
  else {
    // This file does not yet exist
    $source = realpath(dirname($source)) .'/'. basename($source);
  }
  $directory = realpath($directory);
  if ($directory && strpos($source, $directory) !== 0) {
    return 0;
  }
  return $source;
}
?>

Bug for PHP versions below 5.3

istos - Tue, 2009-10-27 18:58

Please note that on *BDS systems the realpath() function for PHP versions below 5.3 will return true even if the file does not exist in the directory.

Check: http://php.net/manual/en/function.realpath.php

Use file_exists ( string $filename ) instead.