Level 50
I guess you could have a route something like :
Route::get('/php/{script}', ['middleware' => 'auth', function ($script) {
require_once(storage_path("/legacy_php_scripts/{$script}"));
}]);
Nasty though... :-/
Oct 14, 2015
6
Level 1
Protect access to PHP file?
Hi,
One of the features that I want to provide in my laravel application is the ability to allow the user to execute pre-built PHP scripts only if they are an authenticated user. I can place these legacy PHP scripts anywhere in the laravel application (e.g. public or storage folder), but I cannot rewrite them in Laravel.
e.g. if the user access http://localhost/php/test.php, then my laravel application should show the test.php output only if he is an authenticated user.
Can this be done? Any help is highly appreciated. Thanks in advance!
Level 1
Works perfectly well! Thank you for the prompt reply.
Level 50
No worries :-)
Level 65
Be VERY careful about that.
Depending on how you code it and your PHP settings, someone could include a system file or something by going up levels. OR even include a php file via a URL. php/../logs/laravel.log could be used to find your current directory and then they could perform another one to grab any system file.
Level 56
Yes you have to sanitize the path provided in the url.
Level 50
Please or to participate in this conversation.