Tuesday, March 1, 2011

listing a folder content : how to prevent user from going above the authorized directory?

Hi,

i'm working on a script to allow users to browse a given directory, which is not the directory this file is sitting in, but set in a variable.

 define('FOLDER', '../_files/');

Now, the rendred html allows to navigate subfolders inside that folder. I use a "dir" GET variable to tell my script which subfolder's content to display and a ".." link allowing to go upwards, using that same dir variable.

I've set a check that if $_GET['dir'] is equals to FOLDER, it should not display that ".." link. But it's easy enough to mess with that variable sitting in the url and wherever i do that, my script allows to browse above the authorized folder. Not exactly a safe situation...

So i'm thinking i should check the full local path of the authorized directory against the requested directory and if the latter is not inside the authorized one, not display the "..".

But i don't know how to do that. Any hints or pointer would be appreciated. Thanks

From stackoverflow
  • You might want to look at realpath().

    $foo = realpath($foo);
    if (substr($foo, 0, 8) != '/my/path') {
        return false;
    }
    

    ...or something like that.

    Copied from this answer, since I think this question is better.

    pixeline : thanks you. $foo is the requested directory ,and /my/path/ the authorized one, right?
    deceze : That's right. :)
  • or you could use regex

    $requested = realpath($foo);
    $allowedpath = '/path/to/allowed';
    
    $regex = '/^'.addslashes($allowedpath).'\/?.*$/';
    
    if (!preg_match($regex, $requested)) {
        return false;
    }
    
    Alix Axel : You should use preg_quote() instead of addslashes().
    stefita : preg_quote() won't replace my slashes since the regex start and end chars could be almost anything, but you can add it additionally to addslashes()

0 comments:

Post a Comment