[thelist] securing script
Joshua OIson
joshua at alphashop.net
Tue Mar 27 12:32:45 CST 2001
Is this Unix or a Windows system? In the old DOS days you could make a
virtual drive mapping to a subfolder on a drive. In this manner, drive G:
might actually be C:\myfolder\lyrics
You may be able to do some drive mappings like that to make sure that the
browser stays in the area you want.
Make sense?
-joshua
----- Original Message -----
From: "Joxn" <joxn at vernum.com>
Subject: [thelist] securing script
> Hi everybody,
> I've written a PHP script with which I can browse through my server's
> directory structure (eg. an lyrics archive).
>
> I've defined an absolute root path $pRoot =
> "/home/foo/bar/website/music";
> And when I call my script - lyrics.php - it only uses relative
> sub-paths,
> like lyrics.php?path=bad_relgion/against_the_grain/
>
> Of course, this is a security risk as one could call the script like
> this:
> lyrics.php?path=../../../../../ and browse through directories I really
> don't want to publish on the Net.
>
> The first thing I did to make this thingy a bit safer, was to parse the
> $path for "..", like this:
>
> if( eregi("..", $path) ) {
> exit;
> }
>
> Now, I wonder what else I have to do. Any suggestions?
>
> Is there a way of comparing the given path with my defined root path and
> check whether this is a directory below it or not? But how would I do so
> with relative paths?
>
> TIA,
> Joxn
More information about the thelist
mailing list