http://php.net/realpath
$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg("^$allowed_path", $file)) {
// it's OK
} else {
// possible attack!
}
> -----Original Message-----
> From: Steve Werby [mailto:[EMAIL PROTECTED]]
> Sent: 5 iulie 2001 02:22
> To: Sascha Schumann
> Cc: Jon Haworth; 'Hankley, Chip'; PHP Mailingliste
> Subject: Re: [PHP] Security of PHP code
>
>
> "Sascha Schumann" <[EMAIL PROTECTED]> wrote:
> > On Wed, 4 Jul 2001, Steve Werby wrote:
> >
> > > "Jon Haworth" <[EMAIL PROTECTED]> wrote:
> > > > Yes, I would have thought this would do it:
> > > >
> > > > if (strstr($file, "/usr/local/apache/htdocs/") {
> > > > show_source($file);
> > [..]
> > > Something along those lines will work. Without some kind
> of limitations
> > > built in, the page will be able to load any file that's
> world-readable
> so
> > > it's a good idea to limit access to certain directories
> or hardcode the
> > > directory you want to give access to.
> >
> > Imagine someone passing in
> > /usr/local/apache/htdocs/../../../../etc/passwd as path..
>
> Excellent point. In addition to hardcoding the path I would
> do something to
> ensure that the file requested does not attempt to bypass
> that directory.
> I'd probably use a regex to make sure it doesn't include a
> "/" or if I want
> to serve files from a deeper directory I'd do a regex or use
> something like
> strstr() to see if ".." is within the filename. Personally,
> I wouldn't make
> a script that outputed a file on the server or a script's
> code *and* allowed
> the user to dictate what file was accessed.
>
> --
> Steve Werby
> President, Befriend Internet Services LLC
> http://www.befriend.com/
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
