With this solution, what keeps people from using something like "../../../etc/shadow" as $arg? You'd probably need to strip out slashes and ..'s to be safe...
Matt On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote: > An easy way around exposing /etc/anything is to do what Apache does with > HTML documents: only reference documents inside a relative directory. > > e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ] > -- ************************************************* * Matt Roper <[EMAIL PROTECTED]> * * http://www.mattrope.com * * PGP Key: http://www.mattrope.com/mattrope.asc * ************************************************* _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
