"Sascha Schumann" <[EMAIL PROTECTED]> wrote:
> On Wed, 4 Jul 2001, Steve Werby wrote:
>
> > "Jon Haworth" <[EMAIL PROTECTED]> wrote:
> > > Yes, I would have thought this would do it:
> > >
> > > if (strstr($file, "/usr/local/apache/htdocs/") {
> > > show_source($file);
> [..]
> > Something along those lines will work. Without some kind of limitations
> > built in, the page will be able to load any file that's world-readable
so
> > it's a good idea to limit access to certain directories or hardcode the
> > directory you want to give access to.
>
> Imagine someone passing in
> /usr/local/apache/htdocs/../../../../etc/passwd as path..
Excellent point. In addition to hardcoding the path I would do something to
ensure that the file requested does not attempt to bypass that directory.
I'd probably use a regex to make sure it doesn't include a "/" or if I want
to serve files from a deeper directory I'd do a regex or use something like
strstr() to see if ".." is within the filename. Personally, I wouldn't make
a script that outputed a file on the server or a script's code *and* allowed
the user to dictate what file was accessed.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]