I found a much simpler way to handle this problem..
It's not pretty, but it's effective.
$path = $_GET["path"];
if( !isset( $path ) || $path == "" ) {
$path = "D:/FTPDIR";
}
$test = $path; // keep from mangling $path... For some reason, if I
did the test below using $path it caused problems further in the script.
if ($test = eregi(':$', $test) || eregi('^\..', $test) ||
eregi('^\/?\..', $test) ) {
$path = "D:/FTPDIR";
}
I tried it first with just the first eregi, and was only able to catch a
case where the user tried to
access with a URL like http://localhost/fileman.php?path=C:
It would still let you browse unwanted directories by doing
http://localhost/fileman.php?path=/../
so I added the second eregi and that stopped that... but...
http://localhost/fileman.php?path=/../../
would still get thru
the third eregi stopped that one... it seems that I have it fixed so that
only links I specify in the
script are able to be browsed.. Unless a person knows a particular
Directory.. But that can easiliy be
stopped by filtering known directories like C:/Windows with another eregi
Thanks advice guys... It got me thinkin.
"Stut" <stuttle@xxxxxxxxx> wrote in message
news:43DE1388.2060501@xxxxxxxxxxxx
> Mike wrote:
>
>>>If it is called with the right parameters or the "Previous Directory"
>>>link is clicked too many times, the browser will be outside of the paths
>>>that I want them to be in...
>>>
>>>I would like to be able to lock the browser down to a particular set of
>>>directories and thier subs.
>>>
>>What you may want to do is set up a bit of parsing in your script so that
>>the script is passed the relative portion of the directory and the script
>>appends the parent folders to that.
>>For example, say the user is browsing directory
>>C:\users\tom\images\vacation
>>and you want to lock everything to the \users directory.
>>
>>Have the script expect
>>http://localhost/script.php?path=users\tom\images\vacation instead of the
>>full path. You can then do some basic string parsing to determine the
>>first
>>folder (in this case "users") and ensure that that matches a defined set
>>of
>>acceptable folders.
>>
>>So
>>if($first_dir != "users"){
>> echo "this is an invalid directory";
>>}
>>
>>Etc.
>>
>>Also, if someone tries to pass "C:\" into $path, it'd end up getting
>>parsed
>>as "C:\C:\", which will obviously be an invalid directory.
>>
>>This would allow the user from doing something like
>>http://localhost/script.php?path=windows\system32 since "windows" isn't in
>>the approved folders list.
>>
>>I'm sure there's a bunch of other ways of doing this, but it's the first
>>that popped into my head.
>>
> Please please please don't make this your only check. According to the
> above I could easily do something like the following to get where I wanted
> to go...
>
> http://localhost/script.php?path=users\..\..\..\..\..\windows\system32
>
>
> I suggest you look at http://php.net/realpath and use that to get the real
> absolute path after ..'s etc have been expanded, then compare that to the
> directory you want to lock them into.
>
> -Stut
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
