-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> The only foolproof method for restricting access is to strip
> forward slashes. In the above example, I can change the file to:
> /www/sites/mysite/teaching/../../../../etc/passwd
> And it will be allowed
> If you were to do this, however:
> $allowed_path = "/www/sites/mysite/teaching";
> $file = ereg_replace("/","",$file);
> show_source($allowed_path."/".$file);
> That would block any attempt to trick the server into going into
> another directory.
You could also check for/ remove any instances of ..
M@
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO0QmZ6W0/zC+QxWwEQJwEgCgkvHAwNgR+tHvlyWgfefw5tipb24AoPXn
QNZ72t51rOmh7dts2zZd0S3p
=q64c
-----END PGP SIGNATURE-----
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
