ID: 37430 User updated by: tim dot site at gmail dot com Reported By: tim dot site at gmail dot com Status: Bogus Bug Type: *Directory/Filesystem functions Operating System: windows 2000 PHP Version: 5.1.4 New Comment:
Thanx for your fast reaction. Mmm it was not a bug. I'll ask it to the support section :) Tim Previous Comments: ------------------------------------------------------------------------ [2006-05-13 16:53:59] [EMAIL PROTECTED] Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. Tip of the day: openbasedir. ------------------------------------------------------------------------ [2006-05-13 16:44:34] tim dot site at gmail dot com Description: ------------ opendir() lets users browse al files on the server, even the one of other hardisk and ffiles in the htdocs list. Is this bug? this is very bad for the server security. Reproduce code: --------------- <?php function select_files($dir, $label = "", $select_name, $curr_val = "", $char_length = 30) { $teller = 0; if ($handle = opendir($dir)) { $mydir = ($label != "") ? "<label for=\"".$select_name."\">".$label."</label>\n" : ""; $mydir .= "<select name=\"".$select_name."\">\n"; $curr_val = (isset($_REQUEST[$select_name])) ? $_REQUEST[$select_name] : $curr_val; $mydir .= ($curr_val == "") ? " <option value=\"\" selected>...\n" : "<option value=\"\">...\n"; while (false !== ($file = readdir($handle))) { $files[] = $file; } closedir($handle); sort($files); foreach ($files as $val) { if (is_file($dir.$val)) { // show only real files (ver. 1.01) $mydir .= " <option value=\"".$val."\""; $mydir .= ($val == $curr_val) ? " selected>" : ">"; $mydir .= (strlen($val) > $char_length) ? substr($val, 0, $char_length)."...\n" : $val."\n"; $teller++; } } $mydir .= "</select>"; } if ($teller == 0) { $mydir = "No files!"; } else { return $mydir; } } echo select_files("C:/winnt/", "", "", "", "60"); ?> Expected result: ---------------- I espect an error because I entered a folder that should not be visibible for other users Actual result: -------------- I see the files of the C:/winnt dir, but other Files on other harddisks are also possible to see even the files in the htdocs directory are visible, so i can see the files of other users. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37430&edit=1
