is_valid_rs_path()

Coding standards

Security in ResourceSpace

Developer reference

Database

Action functions

Admin functions

Ajax functions

Annotation functions

API functions

Collections functions

Comment functions

Config functions

CSV export functions

Dash functions

Debug functions

Encryption functions

Facial recognition functions

File functions

General functions

Language functions

Log functions

Message functions

Migration functions

Node functions

PDF functions

Plugin functions

Render functions

Reporting functions

Request functions

Research functions

Slideshow functions

Theme permission functions

getThemePathPerms()

User functions

Video functions

Database functions

Metadata functions

Resource functions

Search functions

Map functions

Job functions

get_job_type_priority()

Tab functions

Test functions

Description

Check if a given file path is from a valid RS accessible location

Parameters

Column	Type	Default	Description
$path	string
$override_paths	array	[]: bool { debug_function_call__FUNCTION__	Override checking of the default RS paths to check a specific location only.
	func_get_args;

Location

include/file_functions.php lines 373 to 449

Definition


 
function is_valid_rs_path(string $path, array $override_paths = []): bool
{
    debug_function_call(__FUNCTION__, func_get_args());
    if ($GLOBALS["config_windows"]) {
        $path = str_replace("\\", "/", $path);
    }

    $sourcerealpath = realpath($path);
    $source_path_not_real = !$sourcerealpath || !file_exists($sourcerealpath);
    debug('source_path_not_real = ' . json_encode($source_path_not_real));

    $checkname  = $path;
    $pathinfo = pathinfo($path);
    if (($pathinfo["extension"] ?? "") === "icc") {
        // ResourceSpace generated .icc files have a double extension, need to strip extension again before checking
        $checkname = $pathinfo["filename"] ?? "";
    }
    debug("checkname = {$checkname}");

    if ($source_path_not_real) {
        if (!(preg_match('/^(?!\.)(?!.*\.$)(?!.*\.\.)[a-zA-Z0-9_\-[:space:]\/:.]+$/', ($pathinfo['dirname'] ?? "")) && is_safe_basename($checkname))
        ) {
            debug('Invalid non-existing path');
            return false;
        }
    }

    // Check if path contains symlinks, if so don't use the value returned by realpath() as it is unlikely to match the expected paths
    $symlink = false;
    $path_parts = array_filter(explode("/", $path));
    $checkpath = "";
    foreach($path_parts as $path_part) {
        $checkpath .= "/" . $path_part;
        if(is_link($checkpath)) {
            debug("{$checkpath} is a symlink");
            $symlink = true;
            break;
        }
    }
    $path_to_validate = ($source_path_not_real || $symlink) ? $path : $sourcerealpath;
    debug("path_to_validate = {$path_to_validate}");

    if (count($override_paths) > 0) {
        $default_paths = $override_paths;
    } else {
        $default_paths = [
            dirname(__DIR__) . '/gfx',
            $GLOBALS['storagedir'],
            $GLOBALS['syncdir'],
            $GLOBALS['fstemplate_alt_storagedir'],
        ];
        if (isset($GLOBALS['tempdir'])) {
            $default_paths[] = $GLOBALS['tempdir'];
        }
    }
    $allowed_paths = array_filter(array_map('trim', array_unique($default_paths)));
    debug('allowed_paths = ' . implode(', ', $allowed_paths));

    foreach ($allowed_paths as $allowed_path) {
        debug("Iter allowed path - {$allowed_path}");
        $validpath = ($source_path_not_real || $symlink) ? $allowed_path : realpath($allowed_path);
        if ($GLOBALS["config_windows"]) {
            $allowed_path = str_replace("\\","/", $allowed_path);
            $validpath = str_replace("\\","/", $validpath);
            $path_to_validate = str_replace("\\","/", $path_to_validate);
        }
        debug("validpath = {$validpath}");
        debug("path_to_validate = {$path_to_validate}");
        if ($validpath !== false && mb_strpos($path_to_validate, $validpath) === 0) {
            debug('Path allowed');
            return true;
        }
    }

    debug('Default as an invalid path');
    return false;
}

This article was last updated 17th November 2024 15:05 Europe/London time based on the source file dated 22nd August 2024 16:45 Europe/London time.

Knowledge Base

is_valid_rs_path()

Description

Parameters

Location

Definition