GT wrote:
"Stut" <stuttle@xxxxxxxxx> wrote in message
news:43DE1388.2060501@xxxxxxxxxxxx
Mike wrote:
If it is called with the right parameters or the "Previous Directory"
link is clicked too many times, the browser will be outside of the paths
that I want them to be in...
I would like to be able to lock the browser down to a particular set of
directories and thier subs.
What you may want to do is set up a bit of parsing in your script so that
the script is passed the relative portion of the directory and the script
appends the parent folders to that.
For example, say the user is browsing directory
C:\users\tom\images\vacation
and you want to lock everything to the \users directory.
Have the script expect
http://localhost/script.php?path=users\tom\images\vacation instead of the
full path. You can then do some basic string parsing to determine the
first
folder (in this case "users") and ensure that that matches a defined set
of
acceptable folders.
So
if($first_dir != "users"){
echo "this is an invalid directory";
}
Etc.
Also, if someone tries to pass "C:\" into $path, it'd end up getting
parsed
as "C:\C:\", which will obviously be an invalid directory.
This would allow the user from doing something like
http://localhost/script.php?path=windows\system32 since "windows" isn't in
the approved folders list.
I'm sure there's a bunch of other ways of doing this, but it's the first
that popped into my head.
Please please please don't make this your only check. According to the
above I could easily do something like the following to get where I wanted
to go...
http://localhost/script.php?path=users\..\..\..\..\..\windows\system32
I suggest you look at http://php.net/realpath and use that to get the real
absolute path after ..'s etc have been expanded, then compare that to the
directory you want to lock them into.
-Stut
I found a much simpler way to handle this problem..
It's not pretty, but it's effective.
$path = $_GET["path"];
if( !isset( $path ) || $path == "" ) {
$path = "D:/FTPDIR";
}
$test = $path; // keep from mangling $path... For some reason, if I
did the test below using $path it caused problems further in the script.
if ($test = eregi(':$', $test) || eregi('^\..', $test) ||
eregi('^\/?\..', $test) ) {
$path = "D:/FTPDIR";
}
I tried it first with just the first eregi, and was only able to catch a
case where the user tried to
access with a URL like http://localhost/fileman.php?path=C:
It would still let you browse unwanted directories by doing
http://localhost/fileman.php?path=/../
so I added the second eregi and that stopped that... but...
http://localhost/fileman.php?path=/../../
would still get thru
the third eregi stopped that one... it seems that I have it fixed so that
only links I specify in the
script are able to be browsed.. Unless a person knows a particular
Directory.. But that can easiliy be
stopped by filtering known directories like C:/Windows with another eregi
Thanks advice guys... It got me thinkin.
I would still urge you to include the use of the realpath function. With
the various character encodings that are around realpath is the only way
to get the actual absolute path and it's that path you should be
checking not the one you've created from the incoming variables.
-Stut
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
