<?php
// uncomment these to see what happens in different situations.
// note that this only handles file security; it DOES NOT stop me from reading your files, or vice-versa.
$_GET = ['user' => '__adrian', 'file' => 'foo.txt'];
//$_GET = ['user' => '__adrian', 'file' => 'remote-file-inclusion.exe'];
//$_GET = ['user' => 'UnicornTek', 'file' => 'filesystems-tutorial.pdf'];
//$_GET = ['user' => 'UnicornTek', 'file' => 'bar.txt'];
$allowed_files = [
'__adrian' => [
'foo.txt',
'bar.png'
],
'UnicornTek' => [
'filesystems-turoial.pdf',
'remote-file-inclusion.exe'
]
];
if (! isset($allowed_files[$_GET['user']]) || ! in_array($_GET['file'], $allowed_files[$_GET['file']])) {
throw new Exception("File Not Found: {$_GET['user']}/{$_GET['file']}");
}
readfile("/path/to/users/{$_GET['user']}/{$_GET['file']}");
Warning: Undefined array key "foo.txt" in /in/IMR2c on line 23
Fatal error: Uncaught TypeError: in_array(): Argument #2 ($haystack) must be of type array, null given in /in/IMR2c:23
Stack trace:
#0 /in/IMR2c(23): in_array('foo.txt', NULL)
#1 {main}
thrown in /in/IMR2c on line 23
Process exited with code 255.
Notice: Undefined index: foo.txt in /in/IMR2c on line 23
Warning: in_array() expects parameter 2 to be array, null given in /in/IMR2c on line 23
Fatal error: Uncaught Exception: File Not Found: __adrian/foo.txt in /in/IMR2c:24
Stack trace:
#0 {main}
thrown in /in/IMR2c on line 24
Process exited with code 255.
Output for 7.3.32 - 7.3.33
Warning: in_array() expects parameter 2 to be array, null given in /in/IMR2c on line 23
Fatal error: Uncaught Exception: File Not Found: __adrian/foo.txt in /in/IMR2c:24
Stack trace:
#0 {main}
thrown in /in/IMR2c on line 24
Process exited with code 255.