Delbono pressed the little lettered thingies in this order...
>
> maybe one could be
>
> <?
> $allowed_path = "/www/sites/mysite/teaching";
>
> if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> {
> die("not allowed!");
> }
> else
> {
> show_source($file);
> }
> ?>
>
The only foolproof method for restricting access is to strip forward
slashes. In the above example, I can change the file to:
/www/sites/mysite/teaching/../../../../etc/passwd
And it will be allowed
If you were to do this, however:
$allowed_path = "/www/sites/mysite/teaching";
$file = ereg_replace("/","",$file);
show_source($allowed_path."/".$file);
That would block any attempt to trick the server into going into another
directory.
You would have to create separate show_source() calls or separate
scripts for each directory that you wish to allow, but nobody will ever get
your /etc/passwd file.
Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Meeting cutting edge dynamic
web site needs
For a good time,
http://www.AppIdeas.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
