> <?
> $allowed_path  = "/www/sites/mysite/teaching";
> if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> {
> die("not allowed!");
> }
> else
> {
> show_source($file);
> }
> ?>

I've missed part of the discussion, but if my understanding of the issue
is correct (accepting a filename and path from a visitor to the site to
display through a PHP script), then this solution is probably

If the user passes in a string like
/www/sites/mysite/teaching/../../../../etc/passwd, the first part of the
string will pass your validity test, but the user may still be able to
ascend to a place where files you don't wish to share are stored.

A better solution may be to pass the filename through some filter and then
concatenate that to your path. For example:

if(preg_match("/[^A-Za-z0-9]/", $file)) {
        die("Invalid filename.");
else {
        show_source($path . $file);

That's an awefully strict way to do it, but that's my personal preference.
If you must accept information that contains a path, perhaps just check
for '..' in the user input.

Anyways, like I say I could be way off base as far as what the discussion
is actually about, and I haven't had near enough coffee this morning, so
forgive me if I'm just talking nonsense =)

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to