Mike wrote:
If it is called with the right parameters or the "Previous Directory"
link is clicked too many times, the browser will be outside
of the paths that I want them to be in...
I would like to be able to lock the browser down to a
particular set of directories and thier subs.
What you may want to do is set up a bit of parsing in your script so that
the script is passed the relative portion of the directory and the script
appends the parent folders to that.
For example, say the user is browsing directory C:\users\tom\images\vacation
and you want to lock everything to the \users directory.
Have the script expect
http://localhost/script.php?path=users\tom\images\vacation instead of the
full path. You can then do some basic string parsing to determine the first
folder (in this case "users") and ensure that that matches a defined set of
acceptable folders.
So
if($first_dir != "users"){
echo "this is an invalid directory";
}
Etc.
Also, if someone tries to pass "C:\" into $path, it'd end up getting parsed
as "C:\C:\", which will obviously be an invalid directory.
This would allow the user from doing something like
http://localhost/script.php?path=windows\system32 since "windows" isn't in
the approved folders list.
I'm sure there's a bunch of other ways of doing this, but it's the first
that popped into my head.
Please please please don't make this your only check. According to the
above I could easily do something like the following to get where I
wanted to go...
http://localhost/script.php?path=users\..\..\..\..\..\windows\system32
I suggest you look at http://php.net/realpath and use that to get the
real absolute path after ..'s etc have been expanded, then compare that
to the directory you want to lock them into.
-Stut
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
