From: dewi at morganalley dot com
Operating system: Linux
PHP version: 5.0.2
PHP Bug Type: Feature/Change Request
Bug description: Add a "non-local" flag param to realpath
Description:
------------
Description of issues:
======================
1) From the user-comments on the online documentation page for the
realpath() function, it can be seen that there is a significant need for a
function that will clean paths, but will not require them to be local.
That is, it will not check for existence of all directory elements, and
will not expand symlinks: it will merely parse the directory as a string,
replacing all '//' and '/./' with single '/', dealing with '/../'
elements, stripping any trailing '/', then replacing empty ('') paths with
a single dot ('.').
While on the face of it, this seems fairly trivial to write as a user
function, the user-comments on the online documentation give the lie to
this: to get such a function compatible both with windows and linux,
portably, is non-trivial.
2) under windows, realpath() already fulfils this purpose, as it does not
check for existence (I have not checked, but the user comments in the
online documentation say that this is the case). I assume this is because
it does not need to check for symlinks.
3) This parsing-as-a-string should be the first step for realpath()
anyway, as currently it will return false on the string
"/nonexistent-path/..", even though, as a string this evaluates to '/',
and so does exist.
Expected result:
----------------
Suggested solution:
===================
Add an optional second parameter to realpath(), made from the flags
FOLLOW_SYMLINKS, and PATH_MUST_EXIST. This will then allow non-local and
vortual paths to be cleaned.
For security, a further, third parameter could be added, defaulting to '',
that specifies a directory above which the path may not go, with '..'. So
realpath("/var/www/foo/../../../etc/", true, "/var/www/") would evaluate
to "/var/www/etc/". This would give users who are not using safe mode a
very easy way to validate that directories are at least somewhat secure.
--
Edit bug report at http://bugs.php.net/?id=30918&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30918&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=30918&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=30918&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=30918&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=30918&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=30918&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=30918&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=30918&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=30918&r=support
Expected behavior: http://bugs.php.net/fix.php?id=30918&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=30918&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=30918&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=30918&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30918&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=30918&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=30918&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=30918&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=30918&r=float
MySQL Configuration Error: http://bugs.php.net/fix.php?id=30918&r=mysqlcfg
