Page 1 of 2

No '..' components allowed in path

Posted: Thu Nov 06, 2003 8:17 am
by Aj!
Hello I get this errormessage:

Warning: No '..' components allowed in path in D:\Inetpub\Hotel\kinnanc136qnke\dok2000kopia\pdf_d
irekta\golv&tak\pdf.php on line 9

when running this code:

<?PHP
ini_set("display_errors", "1");

function myspawn($pdf, $bild, $nypdf)
{
$command="..\\..\\exe\\pdf.exe $pdf ..\\..\\af_bilder\\$bild $nypdf";
exec($command);
exec("exit(0)");
}
?>

<html>
<head>
<title>New Page 1</title>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_goToURL() { //v3.0
var i, args=MM_goToURL.arguments; document.MM_returnValue = false;
for (i=0; i<(args.length-1); i+=2) eval(args+".location='"+args[i+1]+"'");
}
//-->
</script>
</head>
<body onLoad="MM_goToURL('parent','pdf.pdf');return document.MM_returnValue">
Skapar pdf..
<? myspawn($_GET['pdf'], $_GET['bild'], $_GET['nypdf']);?>
</body>
</html>

It execute an .exe that switch some bytes in a pdf-file and then saves it to a new location..

When safe_mode = Off everything works just fine..
But it will be hosted on a webhotel that wont allow safe_mode = Off so I have to get it to work with safe_mode = On

Anyone know whats the problem?

Thanks!

Posted: Thu Nov 06, 2003 8:19 am
by JayBird
Instead of using relative paths, try using the full server path.

which can be found in the variable

Code: Select all

_SERVER["DOCUMENT_ROOT"]
Mark

Posted: Thu Nov 06, 2003 8:20 am
by Weirdan
It's protection from traversal type of attacks. Relative paths cannot contain `..` (one level up) components when safe_mode is on.

Posted: Thu Nov 06, 2003 8:29 am
by Aj!
Thanks Mark, but that doesnt work.. I have tried the full path and several variables.. :/

Weirdan, is there something else that means the same as '..' that I can use?

Posted: Thu Nov 06, 2003 8:36 am
by JayBird
found this in the manual

The only syntax I found to work for the command portion of an an exec() call on a Win2K devel platform is:

Code: Select all

$command = ""path-to-exe" args file-name";
where 'path-to-exe' has escaped double quotes, args are in the standard format, and 'file-name' has any backslashes escaped.

Example:

Code: Select all

$command = ""C:\program files\winzip\wzunzip.exe" -c C:\\temp\\uploaded_file.zip";

exec($command,$output,$rv);
Note that the backslashes are escaped in the uploaded_file name, but not in the path to call the Winzip executable. Go figure!

Mark

Posted: Thu Nov 06, 2003 8:42 am
by Weirdan
You shouldn't. ;) Use absolute paths or place the pdf.exe in the subdirectory of directory containing your script.

PS: does your hosting company provide win-apache-php hosting? Hosters usually offer some type of *nix...

Posted: Thu Nov 06, 2003 8:44 am
by Weirdan
Bech, where did you find it?

Posted: Thu Nov 06, 2003 8:45 am
by JayBird
here http://se.php.net/manual/en/ref.exec.php


Note dated 15-Sep-2002 08:07

Posted: Thu Nov 06, 2003 8:51 am
by Aj!
yes, they provide win-php, take a look: http://malibu.bluerange.se/kinna/p.php

Posted: Thu Nov 06, 2003 8:54 am
by Aj!
and it doesnt work even if i put all the files in the same directory where the file is executed :( all because safe_mode is on.. grr

Posted: Thu Nov 06, 2003 9:01 am
by Weirdan
Aj! wrote:and it doesnt work even if i put all the files in the same directory where the file is executed :( all because safe_mode is on.. grr
Do you recieve any error messages? please post it here.

Posted: Thu Nov 06, 2003 9:11 am
by Aj!
no, no errormessages if i try to use absolute paths, just:

Warning: exec(): No '..' components allowed in path in c:\inetpub\wwwroot\kinnan\dok2000kopia\pdf_direkta\golv&tak\pdf.php on line 9

if i run the code as above..

im a supern00b at php so if there is something i shall write to get errormessages, tell me :)

Posted: Thu Nov 06, 2003 9:17 am
by Aj!
on more thing that might help you..
on the host's page it says something about move_uploaded_file..

"To save an uploaded file i the website you have to use move_uploaded_file. The temporary file can not be opened in some other way due to securityreasons"

we i use my .exe that changes some bytes in one pdf and then saves it in in another place with another name, do you think I should use this move_uploaded_file? dont have a clue what it is.. ;)

Posted: Thu Nov 06, 2003 9:26 am
by Weirdan
double dots also present in the parameter " ..\\..\\af_bilder\\$bild"
I think you can't access uploaded file without using move_uploaded_file function... dunno, never dealt with uploading.

Posted: Thu Nov 06, 2003 9:33 am
by JayBird
when you upload a file, it is temporarily store somewhere specified in the PHP.ini.

You need to use move_uploaded_file before yu can do something with the uploaded file.

Mark