$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg("^$allowed_path", $file)) {
// it's OK
} else {
// possible attack!
}
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 4 iulie 2001 15:29
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Security of PHP code
>
>
>
> > <?
> > $allowed_path = "/www/sites/mysite/teaching";
> >
> > if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> > {
> > die("not allowed!");
> > }
> > else
> > {
> > show_source($file);
> > }
> > ?>
>
> I've missed part of the discussion, but if my understanding
> of the issue
> is correct (accepting a filename and path from a visitor to
> the site to
> display through a PHP script), then this solution is probably
> inadequate...
>
> If the user passes in a string like
> /www/sites/mysite/teaching/../../../../etc/passwd, the first
> part of the
> string will pass your validity test, but the user may still be able to
> ascend to a place where files you don't wish to share are stored.
>
> A better solution may be to pass the filename through some
> filter and then
> concatenate that to your path. For example:
>
> if(preg_match("/[^A-Za-z0-9]/", $file)) {
> die("Invalid filename.");
> }
> else {
> show_source($path . $file);
> }
>
> That's an awefully strict way to do it, but that's my
> personal preference.
> If you must accept information that contains a path, perhaps
> just check
> for '..' in the user input.
>
> Anyways, like I say I could be way off base as far as what
> the discussion
> is actually about, and I haven't had near enough coffee this
> morning, so
> forgive me if I'm just talking nonsense =)
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]