- strpos: documentation ( source)
- realpath: documentation ( source)
<?php
function lfi_be_gone($userProvided, $basePath)
{
$real = realpath($userProvided);
if ($real === false) {
throw new Exception('LOL NOPE');
}
if (strpos($real, $basePath) !== 0) {
throw new Exception('LOL NOPE');
}
return $real;
}
# Usage:
$userProvidedVariable = '../../../../../../../../etc/passwd';
require_once lfi_be_gone("includes/" . $userProvidedVariable, $_SERVER['DOCUMENT_ROOT'] . '/includes/');