<?php function lfi_be_gone($userProvided, $basePath) { $real = realpath($userProvided); if ($real === false) { throw new Exception('LOL NOPE'); } if (strpos($real, $basePath) !== 0) { throw new Exception('LOL NOPE'); } return $real; } # Usage: $userProvidedVariable = '../../../../../../../../etc/passwd'; require_once lfi_be_gone("includes/" . $userProvidedVariable, $_SERVER['DOCUMENT_ROOT'] . '/includes/');
You have javascript disabled. You will not be able to edit any code.