[thelist] securing script
Joxn
joxn at vernum.com
Tue Mar 27 12:23:35 CST 2001
Hi everybody,
I've written a PHP script with which I can browse through my server's
directory structure (eg. an lyrics archive).
I've defined an absolute root path $pRoot =
"/home/foo/bar/website/music";
And when I call my script - lyrics.php - it only uses relative
sub-paths,
like lyrics.php?path=bad_relgion/against_the_grain/
Of course, this is a security risk as one could call the script like
this:
lyrics.php?path=../../../../../ and browse through directories I really
don't want to publish on the Net.
The first thing I did to make this thingy a bit safer, was to parse the
$path for "..", like this:
if( eregi("..", $path) ) {
exit;
}
Now, I wonder what else I have to do. Any suggestions?
Is there a way of comparing the given path with my defined root path and
check whether this is a directory below it or not? But how would I do so
with relative paths?
TIA,
Joxn
--
|| //\\ \\// |\\|| :: joxn at vernum.com ::
\\|| \\// //\\ ||\\| :: 8053703 ::
More information about the thelist
mailing list