On Thursday 01 November 2001 10:39, Galkov Vladimir wrote:
> Need to remove all "../" "/.." from user inputing string to prevent
> him walking and creating files&directories where I don't whant see
> them/him...
>
> The string:
>
> $path =
> eregi_replace('([..]{2,})|([./]{2})|([../]{3,})|([/.]{2})|([/..]{3})',
> '', $path);
>
> works good with any combinations ( ../../..qwert.txt => qwert.txt)
> untill somth like "/../asd/../qwert.txt" will be entered ...
> (/../asd/../qwert.txt => asdqwert.txt).
> So the qwestion is how upgrade regular expression to remove all this
> correctly (with all entered directory names but NOT assigned their
> names to file name...
Here's what I use (take out the parts useful to you):
function FixSrcURI ($SrcURI)
{
// remove script name
$SrcURI = preg_replace ('#^/*{{$ Page.Source }}/*#', '', $SrcURI);
// remove potentially harmful parts
$SrcURI = preg_replace ('#/?\.\./?#', '/', $SrcURI);
$SrcURI = preg_replace ('#/\./#', '/', $SrcURI);
$SrcURI = preg_replace ('#/\.$#', '/', $SrcURI);
$SrcURI = preg_replace ('#/{2,}#', '/', $SrcURI);
$SrcURI = preg_replace ('#^/#', '', $SrcURI);
if (preg_match ('#(\A|/)\.#', $SrcURI) ||
preg_match ('#CVS#', $SrcURI))
{
pbHTTP_404 ();
}
if ($SrcURI == '') {
return array ($SrcURI, -1, 'src');
}
else {
$matches = array ();
if (preg_match ('#^[^/]+$#', $SrcURI))
{
return array ($SrcURI, '', $SrcURI);
}
elseif (preg_match ('#^(.*)/([^/]*)$#', $SrcURI, $matches))
{
return array ($SrcURI, $matches [1], $matches [2]);
}
else
{
pbHTTP_404 ();
return false;
}
}
}
--
Christian Reiniger
LGDC Webmaster (http://lgdc.sunsite.dk/)
/* you are not expected to understand this */
- from the UNIX V6 kernel source
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
