file_check_location
Definition
file_check_location($source, $directory = '')
drupal/includes/file.inc, line 244
Description
Check if a file is really located inside $directory.
This should be used to make sure a file specified is really located within the directory to prevent exploits. Note that the file or path being checked does not actually need to exist yet.
// Returns FALSE:
file_check_location('/www/example.com/files/../../../etc/passwd', '/www/example.com/files');
Parameters
$source A string set to the file to check.
$directory A string where the file should be located.
Return value
FALSE if the path does not exist in the directory; otherwise, the real path of the source.
Related topics
Name | Description |
|---|---|
| File interface | Common file handling functions. |
Code
function file_check_location($source, $directory = '') {
$check = realpath($source);
if ($check) {
$source = $check;
}
else {
// This file does not yet exist.
$source = realpath(dirname($source)) . '/' . basename($source);
}
$directory = realpath($directory);
if ($directory && strpos($source, $directory) !== 0) {
return FALSE;
}
return $source;
}