[prev in list] [next in list] [prev in thread] [next in thread]
List: php-windows
Subject: Re: [PHP-WIN] Question about directory & file operations
From: Stut <stuttle () gmail ! com>
Date: 2006-01-30 13:24:24
Message-ID: 43DE1388.2060501 () gmail ! com
[Download RAW message or body]
Mike wrote:
>>If it is called with the right parameters or the "Previous Directory"
>>link is clicked too many times, the browser will be outside
>>of the paths that I want them to be in...
>>
>>I would like to be able to lock the browser down to a
>>particular set of directories and thier subs.
>>
>>
>What you may want to do is set up a bit of parsing in your script so that
>the script is passed the relative portion of the directory and the script
>appends the parent folders to that.
>
>For example, say the user is browsing directory C:\users\tom\images\vacation
>and you want to lock everything to the \users directory.
>
>Have the script expect
>http://localhost/script.php?path=users\tom\images\vacation instead of the
>full path. You can then do some basic string parsing to determine the first
>folder (in this case "users") and ensure that that matches a defined set of
>acceptable folders.
>
>So
>
>if($first_dir != "users"){
> echo "this is an invalid directory";
>}
>
>Etc.
>
>Also, if someone tries to pass "C:\" into $path, it'd end up getting parsed
>as "C:\C:\", which will obviously be an invalid directory.
>
>This would allow the user from doing something like
>
>http://localhost/script.php?path=windows\system32 since "windows" isn't in
>the approved folders list.
>
>I'm sure there's a bunch of other ways of doing this, but it's the first
>that popped into my head.
>
>
Please please please don't make this your only check. According to the
above I could easily do something like the following to get where I
wanted to go...
http://localhost/script.php?path=users\..\..\..\..\..\windows\system32
I suggest you look at http://php.net/realpath and use that to get the
real absolute path after ..'s etc have been expanded, then compare that
to the directory you want to lock them into.
-Stut
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic