Recently a security issue in TYPO3 has been fixed, where it was possible to circumvent checks, which should ensure file names to match specific patterns (e.g. denying .php file extensions to be uploaded or renamed to). As this problem is heavily caused by PHP’s laxity, this blog entry aims to provide some explanations to you as developer to prevent you from placing similar security holes in your software or TYPO3 extensions. Imagine you are programming a very basic file upload script and use the following piece of code: $filename = $_POST['filename']; $contents = $_POST['contents']; file_put_contents($filename, $contents); It is obvious that...…
Doing Filename Checks Securely (in PHP)
in