I'll have a peek at it.. "Stut" <stuttle@xxxxxxxxx> wrote in message news:43E08A7C.5070400@xxxxxxxxxxxx > GT wrote: > >>"Stut" <stuttle@xxxxxxxxx> wrote in message >>news:43DE1388.2060501@xxxxxxxxxxxx >> >>>Mike wrote: >>> >>> >>>>>If it is called with the right parameters or the "Previous Directory" >>>>>link is clicked too many times, the browser will be outside of the >>>>>paths that I want them to be in... >>>>> >>>>>I would like to be able to lock the browser down to a particular set of >>>>>directories and thier subs. >>>>> >>>>> >>>>What you may want to do is set up a bit of parsing in your script so >>>>that >>>>the script is passed the relative portion of the directory and the >>>>script >>>>appends the parent folders to that. >>>>For example, say the user is browsing directory >>>>C:\users\tom\images\vacation >>>>and you want to lock everything to the \users directory. >>>> >>>>Have the script expect >>>>http://localhost/script.php?path=users\tom\images\vacation instead of >>>>the >>>>full path. You can then do some basic string parsing to determine the >>>>first >>>>folder (in this case "users") and ensure that that matches a defined set >>>>of >>>>acceptable folders. >>>> >>>>So >>>>if($first_dir != "users"){ >>>> echo "this is an invalid directory"; >>>>} >>>> >>>>Etc. >>>> >>>>Also, if someone tries to pass "C:\" into $path, it'd end up getting >>>>parsed >>>>as "C:\C:\", which will obviously be an invalid directory. >>>> >>>>This would allow the user from doing something like >>>>http://localhost/script.php?path=windows\system32 since "windows" isn't >>>>in >>>>the approved folders list. >>>> >>>>I'm sure there's a bunch of other ways of doing this, but it's the first >>>>that popped into my head. >>>> >>>> >>>Please please please don't make this your only check. According to the >>>above I could easily do something like the following to get where I >>>wanted to go... >>> >>>http://localhost/script.php?path=users\..\..\..\..\..\windows\system32 >>> >>> >>>I suggest you look at http://php.net/realpath and use that to get the >>>real absolute path after ..'s etc have been expanded, then compare that >>>to the directory you want to lock them into. >>> >>>-Stut >>I found a much simpler way to handle this problem.. >> >>It's not pretty, but it's effective. >> >> $path = $_GET["path"]; >> if( !isset( $path ) || $path == "" ) { >> $path = "D:/FTPDIR"; >> } >> $test = $path; // keep from mangling $path... For some reason, if >> I did the test below using $path it caused problems further in the >> script. >> >> if ($test = eregi(':$', $test) || eregi('^\..', $test) || >> eregi('^\/?\..', $test) ) { >> $path = "D:/FTPDIR"; >> } >> >>I tried it first with just the first eregi, and was only able to catch a >>case where the user tried to >>access with a URL like http://localhost/fileman.php?path=C: >> >>It would still let you browse unwanted directories by doing >> http://localhost/fileman.php?path=/../ >> >>so I added the second eregi and that stopped that... but... >> >> http://localhost/fileman.php?path=/../../ >> >>would still get thru >> >>the third eregi stopped that one... it seems that I have it fixed so that >>only links I specify in the >>script are able to be browsed.. Unless a person knows a particular >>Directory.. But that can easiliy be >>stopped by filtering known directories like C:/Windows with another eregi >> >>Thanks advice guys... It got me thinkin. >> > I would still urge you to include the use of the realpath function. With > the various character encodings that are around realpath is the only way > to get the actual absolute path and it's that path you should be checking > not the one you've created from the incoming variables. > > -Stut -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
