Will Setting open_basedir in an .htaccess file completely limit a PHP scripts directory access?
My PHP script uses $_POST['fileUrl']; to retrieve a file for the user, which I believe poses a security threat because anyone could append "../../" etc to the fileUrl to gain access to other files on my server.
I need to find the best (most secure) way to limit files my script can access to a specific directory. From what I've read setting the open_basedir flag will limit my script's access to the path specified.
script.php
$fileUrl = $_POST['fileUrl'];
$content = chunk_split(base64_encode(file_get_contents($fileUrl)));
.htaccess
php_flag open_basedir "var/www/vhosts/mydomain.com/php_can_only_access_files_in_this_directory/"
Is there a better way to do this? Is this script completely secure from accessing folders outside the open_basedir?
Answer
If you want to avoid people performing directory traversal attacks by using ../../ in the file name you would be better off calling basename on the user supplied input to strip it down to a filename only.
See http://au2.php.net/basename for more details.
It is worth noting that the open_basedir flag only affects functions that check for it, in the past there have been several cases where php functions ignore the open_basedir flag, particularly in extensions such as imagemagick. Hence you should rather rely on secure coding practices and file permissions to restrict access to files.