5 Oct
2010
5 Oct
'10
11:41 a.m.
On Mon, Oct 04, 2010 at 10:51:54PM +0200, PyroPeter wrote:
It changes / to %2F so /etc/passwd would result in a broken path.
Assuming that basename does what basename(1) does, it will never output a slash. /etc/passwd would yield "passwd".
Yes, there's no need to additionally use urlencode() here. It's just the wrong function for this purpose. If you want to be absolutely sure that no one accesses files outside the upload directory, you can additionally use realpath() after building the path and check if the left part of the absolute path matches the upload directory, but this shouldn't be necessary if there are no symlinks or something similar in the directories referencing files outside.