Re: Question about directory & file operations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



GT wrote:

"Stut" <stuttle@xxxxxxxxx> wrote in message news:43DE1388.2060501@xxxxxxxxxxxx
Mike wrote:

If it is called with the right parameters or the "Previous Directory"
link is clicked too many times, the browser will be outside of the paths that I want them to be in...

I would like to be able to lock the browser down to a particular set of directories and thier subs.

What you may want to do is set up a bit of parsing in your script so that
the script is passed the relative portion of the directory and the script
appends the parent folders to that.
For example, say the user is browsing directory C:\users\tom\images\vacation
and you want to lock everything to the \users directory.

Have the script expect
http://localhost/script.php?path=users\tom\images\vacation instead of the
full path. You can then do some basic string parsing to determine the first folder (in this case "users") and ensure that that matches a defined set of
acceptable folders.

So
if($first_dir != "users"){
echo "this is an invalid directory";
}

Etc.

Also, if someone tries to pass "C:\" into $path, it'd end up getting parsed
as "C:\C:\", which will obviously be an invalid directory.

This would allow the user from doing something like
http://localhost/script.php?path=windows\system32 since "windows" isn't in
the approved folders list.

I'm sure there's a bunch of other ways of doing this, but it's the first
that popped into my head.

Please please please don't make this your only check. According to the above I could easily do something like the following to get where I wanted to go...

http://localhost/script.php?path=users\..\..\..\..\..\windows\system32


I suggest you look at http://php.net/realpath and use that to get the real absolute path after ..'s etc have been expanded, then compare that to the directory you want to lock them into.

-Stut
I found a much simpler way to handle this problem..

It's not pretty, but it's effective.

  $path = $_GET["path"];
  if( !isset( $path ) || $path == "" )  {
       $path = "D:/FTPDIR";
  }
$test = $path; // keep from mangling $path... For some reason, if I did the test below using $path it caused problems further in the script.

if ($test = eregi(':$', $test) || eregi('^\..', $test) || eregi('^\/?\..', $test) ) {
       $path = "D:/FTPDIR";
   }

I tried it first with just the first eregi, and was only able to catch a case where the user tried to
access with a URL like http://localhost/fileman.php?path=C:

It would still let you browse unwanted directories by doing
http://localhost/fileman.php?path=/../

so I added the second eregi and that stopped that... but...

http://localhost/fileman.php?path=/../../

would still get thru

the third eregi stopped that one... it seems that I have it fixed so that only links I specify in the script are able to be browsed.. Unless a person knows a particular Directory.. But that can easiliy be
stopped by filtering known directories like C:/Windows with another eregi

Thanks advice guys... It got me thinkin.
I would still urge you to include the use of the realpath function. With the various character encodings that are around realpath is the only way to get the actual absolute path and it's that path you should be checking not the one you've created from the incoming variables.

-Stut

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux