列出文件夹内容:如何防止用户进入授权目录之上?
我正在编写一个脚本,以允许用户浏览给定目录,该目录不是该文件所在的目录,而是在变量中设置的。
define('FOLDER', '../_files/');
现在,rendred html 允许导航该文件夹内的子文件夹。我使用“dir”GET 变量告诉我的脚本要显示哪个子文件夹的内容,并使用“..”链接允许向上移动,使用相同的 dir 变量。
我设置了一项检查,如果 $_GET['dir'] 等于 FOLDER,则不应显示“..”链接。但很容易弄乱 url 中的变量,无论我做什么,我的脚本都允许浏览授权文件夹上方。不完全是一种安全的情况...
所以我想我应该根据请求的目录检查授权目录的完整本地路径,如果后者不在授权目录内,则不显示“..”。
但我不知道该怎么做。任何提示或指示将不胜感激。谢谢
i'm working on a script to allow users to browse a given directory, which is not the directory this file is sitting in, but set in a variable.
define('FOLDER', '../_files/');
Now, the rendred html allows to navigate subfolders inside that folder. I use a "dir" GET variable to tell my script which subfolder's content to display and a ".." link allowing to go upwards, using that same dir variable.
I've set a check that if $_GET['dir'] is equals to FOLDER, it should not display that ".." link. But it's easy enough to mess with that variable sitting in the url and wherever i do that, my script allows to browse above the authorized folder. Not exactly a safe situation...
So i'm thinking i should check the full local path of the authorized directory against the requested directory and if the latter is not inside the authorized one, not display the "..".
But i don't know how to do that. Any hints or pointer would be appreciated. Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可能想查看 realpath()。
...或者类似的东西。
复制自此答案,因为我认为这个问题更好。
You might want to look at realpath().
...or something like that.
Copied from this answer, since I think this question is better.
或者你可以使用正则表达式
or you could use regex