Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

file and directory functions

Status
Not open for further replies.
dsdjnpfvf

dsdjnpfvf

IS-IT--Management
Aug 21, 2003
38
GB
Hi,

I'm new to php although I have quite advanced programming experience, so I'm learning quickly.

I've decided to try and write a sort of enhanced Directory Listing "index of" script, but I'm having a couple of problems.

I can get it working, but it's got a few bugs, and is very insecure.

For example, someone could easily type in the following line to view the content of my /etc folder into a browser:


Also, there's another couple of problems. If someone was to type in:


it would display the documents folder (as PHP accepts this as a valid path), but the title of my page ("index of ...."), and all the links would also contain all the extra slashes.

My last problem is that when people follow the ".." folder to move to the parent directory, my path ends up being in this form:

/child_dir/../ and not /parent_dir/

which looks a little strange.

If anyone knows of any example code I could look at that would be great. I'm sure this has been done quite a lot before.

Many thanks,

Daniel Briley
 
Sort by date Sort by votes
I'd suggest inthe name of security to use POST instead of GET for passing the directory name, also see glob() and readdir()

______________________________________________________________________
There's no present like the time, they say. - Henry's Cat.
 
Upvote 0 Downvote
glob and readdr are great, and should solve most of your problems.

As far as the security of seeing anything on your filesystem, either be very restrictive on the user permissions, or specifically check if they are attempting to access a directory outside your specified directory.

For example, having php go to the directory and then see if the resultant directory is outside the allowed area. for example, you can declare your share as /myshare/share, then compare the beginning of any resultant directory to make certain it has /myshare/share at the beginning.

Hope this helps.
 
Upvote 0 Downvote
Thanks for the useful tips, i'll take a look at everything you suggested.

blackp: I thought about that, only problem is someone could use the following path:

/myshare/share/some_dir/../../../../etc/

which still has /myshare/share at the front, but accesses and insecure directory. I'll try and use the idea of changing to the specified directory and checking it.

Thanks again guys,

Daniel Briley
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
798
SashaBuilder3
SashaBuilder3
Gerrit Broekhuis
  • Locked
  • Question
PHP form with captcha and file upload
Replies
4
Views
458
Gerrit Broekhuis
Gerrit Broekhuis
c0deM0nK424
  • Locked
  • Question
Gutenberg Block Editor - page edits and updates not working since wp site migration
Replies
1
Views
869
spamjim
spamjim
chrisjchrisj
  • Locked
  • Question
Can you tell me if this file outputs a subcategory page?
Replies
3
Views
391
spamjim
spamjim
lexer
  • Locked
  • Question
Fetching Data from Mysql and filling Inputs in a Form
Replies
0
Views
277
lexer
lexer

Part and Inventory Search

Sponsor

Back
Top