Hi,
i'm working on a script to allow users to browse a given directory, which is not the directory this file is sitting in, but set in a variable.
define('FOLDER', '../_files/');
Now, the rendred html allows to navigate subfolders inside that folder. I use a "dir" GET variable to tell my script which subfolder's content to display and a ".." link allowing to go upwards, using that same dir variable.
I've set a check that if $_GET['dir'] is equals to FOLDER, it should not display that ".." link. But it's easy enough to mess with that variable sitting in the url and wherever i do that, my script allows to browse above the authorized folder. Not exactly a safe situation...
So i'm thinking i should check the full local path of the authorized directory against the requested directory and if the latter is not inside the authorized one, not display the "..".
But i don't know how to do that. Any hints or pointer would be appreciated. Thanks
-
You might want to look at realpath().
$foo = realpath($foo); if (substr($foo, 0, 8) != '/my/path') { return false; }...or something like that.
Copied from this answer, since I think this question is better.
pixeline : thanks you. $foo is the requested directory ,and /my/path/ the authorized one, right?deceze : That's right. :) -
or you could use regex
$requested = realpath($foo); $allowedpath = '/path/to/allowed'; $regex = '/^'.addslashes($allowedpath).'\/?.*$/'; if (!preg_match($regex, $requested)) { return false; }Alix Axel : You should use preg_quote() instead of addslashes().stefita : preg_quote() won't replace my slashes since the regex start and end chars could be almost anything, but you can add it additionally to addslashes()
0 comments:
Post a Comment