[thelist] securing script

[Joshua OIson]

Is this Unix or a Windows system?  In the old DOS days you could make a
virtual drive mapping to a subfolder on a drive.  In this manner, drive G:
might actually be C:\myfolder\lyrics

You may be able to do some drive mappings like that to make sure that the
browser stays in the area you want.

Make sense?

-joshua

----- Original Message -----
From: "Joxn" <joxn at vernum.com>
Subject: [thelist] securing script


> Hi everybody,
> I've written a PHP script with which I can browse through my server's
> directory structure (eg. an lyrics archive).
>
> I've defined an absolute root path $pRoot =
> "/home/foo/bar/website/music";
> And when I call my script - lyrics.php - it only uses relative
> sub-paths,
> like lyrics.php?path=bad_relgion/against_the_grain/
>
> Of course, this is a security risk as one could call the script like
> this:
> lyrics.php?path=../../../../../ and browse through directories I really
> don't want to publish on the Net.
>
> The first thing I did to make this thingy a bit safer, was to parse the
> $path for "..", like this:
>
> if( eregi("..", $path) ) {
> exit;
> }
>
> Now, I wonder what else I have to do. Any suggestions?
>
> Is there a way of comparing the given path with my defined root path and
> check whether this is a directory below it or not? But how would I do so
> with relative paths?
>
> TIA,
> Joxn