Read folders and subfolder to remove unsafe files - Webmaster Forum

04-06-2008, 12:19 PM

Michael C

Status: Senior Member
Join date: Jul 2006
Location: Scotland, East Lothian
Expertise:
Software:

Posts: 888

iTrader: 4 / 100%

Michael C is on a distinguished road

Read folders and subfolder to remove unsafe files

I am working on a script. Its automated the submission of webtemplates. When the zip and form is upload/submitted the zip file is unzipped to a folder. Only problem is with safety and someone includes a php or malicious script in their folder and then runs it.

Any ideas how I could solve this? I was thinking I could write a script to read the folder which the zip was extracted to . It scans the folder and folders which it contains and deletes all files which arent jpg,gif,psd,html,css,txt. Im not sure how to go about that though. Any ideas?

What would be even better is to be able to scan the zip and if the files are found the user trying to submit it is told and it is not unzipped or saved. Not sure if thats possible. Im using DunZip to unzip by the way and just read the following which seems to suggest I could do this somehow.

The dUnzip2 class is pretty good and it that can retrieve a full list of the packed files inside the ZIP file, and also you can see the file type details (e.g. uncompressed size, mod time, comments - if any, and so on).

No php knowledge - google and editing is my expertise

04-09-2008, 08:34 PM

Cooleo

Status: Member
Join date: Sep 2005
Location: Stoke, UK
Expertise:
Software:

Posts: 151

iTrader: 0 / 0%

Cooleo is on a distinguished road

If you have SSH this is easy..

I'll write you the code it's that easy!

PHP Code:


			
<php

$notallowed = array("exe","asp","php");

$scan = shell_exec("unzip -l file.zip");

foreach($notallowed as $ext){
if(eregi('.'.$ext,$scan)){

$fail=1;

}
}


if(!$fail){

shell_exec("unzip file.zip");
//carry on

}else{

echo 'Potentially malicious files detected...';

}

?>