Instruct ICC wrote:
No, you've missed the point. $expecteddir is a fixed variable that you,
the script author, specify. It does not contain anything coming from
external veriables. You then compare the full path you build from the
external variables to $expecteddir to verify that the file is in the
right directory.
I suggest you read the code I posted again.
-Stut
I meant if $page evaluates to
"/home/stut/phpstuff/inc/../../../../../../../../../../../../home/evil-user-home-dir/evil-payload.php"
which it does not.
However I don't think your if (substr($page, 0, strlen($expecteddir)) !=
$expecteddir)
ever evaluates to TRUE. So you'll never get Access denied.
So how you set $page saved your ass. Good job.
You clearly don't know what the realpath function does. Look it up.
-Stut
No I didn't. And I looked it up for the previous reply. And I said that's the
only thing saving your ass.
Your IF never evaluates to true.
But it works to keep out the hacker. So I said "Good job".
My server is down right now so I can't do my usual example script.
The realpath function will reduce your definition of $page to
"/home/evil-user-home-dir/evil-payload.php"
$expecteddir is set to "/home/stut/phpstuff/inc"
The if takes the first strlen($expecteddir) characters of the reduced
$page and compares it to $expecteddir.
If they don't match then if means the requested file is outside your
"safe" directory, hence access denied. If they do match then it's safe
to include the file.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
