"Sascha Schumann" <[EMAIL PROTECTED]> wrote:
> On Wed, 4 Jul 2001, Steve Werby wrote:
> > "Jon Haworth" <[EMAIL PROTECTED]> wrote:
> > > Yes, I would have thought this would do it:
> > >
> > > if (strstr($file, "/usr/local/apache/htdocs/") {
> > > show_source($file);
> [..]
> > Something along those lines will work.  Without some kind of limitations
> > built in, the page will be able to load any file that's world-readable
> > it's a good idea to limit access to certain directories or hardcode the
> > directory you want to give access to.
>     Imagine someone passing in
>     /usr/local/apache/htdocs/../../../../etc/passwd as path..

Excellent point.  In addition to hardcoding the path I would do something to
ensure that the file requested does not attempt to bypass that directory.
I'd probably use a regex to make sure it doesn't include a "/" or if I want
to serve files from a deeper directory I'd do a regex or use something like
strstr() to see if ".." is within the filename.  Personally, I wouldn't make
a script that outputed a file on the server or a script's code *and* allowed
the user to dictate what file was accessed.

Steve Werby
President, Befriend Internet Services LLC

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to