No '..' components allowed in path

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Aj!
Forum Newbie
Posts: 7
Joined: Thu Nov 06, 2003 8:17 am

No '..' components allowed in path

Post by Aj! »

Hello I get this errormessage:

Warning: No '..' components allowed in path in D:\Inetpub\Hotel\kinnanc136qnke\dok2000kopia\pdf_d
irekta\golv&tak\pdf.php on line 9

when running this code:

<?PHP
ini_set("display_errors", "1");

function myspawn($pdf, $bild, $nypdf)
{
$command="..\\..\\exe\\pdf.exe $pdf ..\\..\\af_bilder\\$bild $nypdf";
exec($command);
exec("exit(0)");
}
?>

<html>
<head>
<title>New Page 1</title>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_goToURL() { //v3.0
var i, args=MM_goToURL.arguments; document.MM_returnValue = false;
for (i=0; i<(args.length-1); i+=2) eval(args+".location='"+args[i+1]+"'");
}
//-->
</script>
</head>
<body onLoad="MM_goToURL('parent','pdf.pdf');return document.MM_returnValue">
Skapar pdf..
<? myspawn($_GET['pdf'], $_GET['bild'], $_GET['nypdf']);?>
</body>
</html>

It execute an .exe that switch some bytes in a pdf-file and then saves it to a new location..

When safe_mode = Off everything works just fine..
But it will be hosted on a webhotel that wont allow safe_mode = Off so I have to get it to work with safe_mode = On

Anyone know whats the problem?

Thanks!
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Instead of using relative paths, try using the full server path.

which can be found in the variable

Code: Select all

_SERVER["DOCUMENT_ROOT"]
Mark
Last edited by JayBird on Thu Nov 06, 2003 8:21 am, edited 1 time in total.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

It's protection from traversal type of attacks. Relative paths cannot contain `..` (one level up) components when safe_mode is on.
Aj!
Forum Newbie
Posts: 7
Joined: Thu Nov 06, 2003 8:17 am

Post by Aj! »

Thanks Mark, but that doesnt work.. I have tried the full path and several variables.. :/

Weirdan, is there something else that means the same as '..' that I can use?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

found this in the manual

The only syntax I found to work for the command portion of an an exec() call on a Win2K devel platform is:

Code: Select all

$command = ""path-to-exe" args file-name";
where 'path-to-exe' has escaped double quotes, args are in the standard format, and 'file-name' has any backslashes escaped.

Example:

Code: Select all

$command = ""C:\program files\winzip\wzunzip.exe" -c C:\\temp\\uploaded_file.zip";

exec($command,$output,$rv);
Note that the backslashes are escaped in the uploaded_file name, but not in the path to call the Winzip executable. Go figure!

Mark
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

You shouldn't. ;) Use absolute paths or place the pdf.exe in the subdirectory of directory containing your script.

PS: does your hosting company provide win-apache-php hosting? Hosters usually offer some type of *nix...
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Bech, where did you find it?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

here http://se.php.net/manual/en/ref.exec.php


Note dated 15-Sep-2002 08:07
Aj!
Forum Newbie
Posts: 7
Joined: Thu Nov 06, 2003 8:17 am

Post by Aj! »

yes, they provide win-php, take a look: http://malibu.bluerange.se/kinna/p.php
Aj!
Forum Newbie
Posts: 7
Joined: Thu Nov 06, 2003 8:17 am

Post by Aj! »

and it doesnt work even if i put all the files in the same directory where the file is executed :( all because safe_mode is on.. grr
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Aj! wrote:and it doesnt work even if i put all the files in the same directory where the file is executed :( all because safe_mode is on.. grr
Do you recieve any error messages? please post it here.
Aj!
Forum Newbie
Posts: 7
Joined: Thu Nov 06, 2003 8:17 am

Post by Aj! »

no, no errormessages if i try to use absolute paths, just:

Warning: exec(): No '..' components allowed in path in c:\inetpub\wwwroot\kinnan\dok2000kopia\pdf_direkta\golv&tak\pdf.php on line 9

if i run the code as above..

im a supern00b at php so if there is something i shall write to get errormessages, tell me :)
Aj!
Forum Newbie
Posts: 7
Joined: Thu Nov 06, 2003 8:17 am

Post by Aj! »

on more thing that might help you..
on the host's page it says something about move_uploaded_file..

"To save an uploaded file i the website you have to use move_uploaded_file. The temporary file can not be opened in some other way due to securityreasons"

we i use my .exe that changes some bytes in one pdf and then saves it in in another place with another name, do you think I should use this move_uploaded_file? dont have a clue what it is.. ;)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

double dots also present in the parameter " ..\\..\\af_bilder\\$bild"
I think you can't access uploaded file without using move_uploaded_file function... dunno, never dealt with uploading.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

when you upload a file, it is temporarily store somewhere specified in the PHP.ini.

You need to use move_uploaded_file before yu can do something with the uploaded file.

Mark
Post Reply