Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.
Popular code excerpts may be moved to "Code Snippets" by the moderators.
You want ../ to be allowed? That could be dangerous. This code won't allow that - it will only allow access to child directories inside the current directory - not the parent directory.
Here's the code again, hopefully a little more clear:
Sorry if I wasn't clear, I certainly don't want ../ to be allowed. However for some reason the code is allowing '../', and './..', which leads to the same directory is denied. Every other folder returns the correct result, child folders are allowed, and parent folders are denied. Plus, when I upload it to my remote host (running Linux), the code doesn't work at all as $full_path_to_search is returned as empty. Here is the code I am using:
<?php session_start();
//Begin microtime timer
$microtime_0 = microtime();
//Include external class that holds application settings
include("./fm_assets/appconfig.php");
//Construct instance of class app_config
$app_config = new app_config;
//Declare initial variables
$dir_to_read = "./";
$ico_dir = "./fm_assets/ico/";
$date_format = "d-m-y g:i:s a";
//Null declarations
$str_to_echo = "";
$dir_files = array();
$file_ext = array();
$err_msgs = "";
$edit_str= "";
$dir_folders = array();
//Load application configuration
if (file_exists('./fm_assets/config.txt')) {
$app_config = unserialize(base64_decode(file_get_contents('./fm_assets/config.txt')));
} else {
echo("<b>Note: The required configuration file does not exist.</b>");
}
//Define hidden files and folders
$dir_to_hide = $app_config->dir_to_hide;
$ext_to_hide = $app_config->ext_to_hide;
//Define directory to read from configuration file
$dir_to_read = $app_config->dir_to_read;
//Check if login attempt was made, if so check credentials
if (isset($_REQUEST['cklogin'])) {
if (in_array($_POST['user'], $app_config->users)) {
if ($app_config->passwords[$_POST['user']] == $_POST['pass']) {
$_SESSION['reguser'] = $_POST['user'];
} else {
$err_msgs .= "Incorrect username and password.";
$_SESSION['reguser'] = 'public';
}
} else {
$err_msgs .= "Incorrect username and password.";
$_SESSION['reguser'] = 'public';
}
}
//Check if logout request was made, if so kill session
if (isset($_REQUEST['logout'])) {session_unset();}
//Check if session variable that holds current login user name is set, if not set to public
if (!isset($_SESSION['reguser'])) {$_SESSION['reguser'] = 'public';}
//Get directory to read if provided in URL
if (isset($_REQUEST['dir'])) {$dir_to_read = $_REQUEST['dir'];}
//Check that the directory to be read has a / at the end, if not, put one there
if (substr($dir_to_read, -1) != "/") {$dir_to_read .= "/";}
$full_path_to_search = realpath(dirname(__FILE__).$dir_to_read);
$path_of_current_file = dirname(__FILE__);
if(strpos($full_path_to_search,$path_of_current_file) === 0) {
echo('Directory OK');
}
echo('<br />$full_path_to_search: '.realpath(dirname(__FILE__).$dir_to_read));
echo('<br />$path_of_current_file: '. dirname(__FILE__));
echo('<br />$dir_to_read: '.$dir_to_read);
echo('<br />$_GET[DIR]: '.$_GET['dir']);
//Check if there was a request to create a new directory, if so create it
if (isset($_REQUEST['newdir'])) {
if (!is_dir($_REQUEST['dir'].$_REQUEST['newdir'])) {
mkdir($_REQUEST['dir'].$_REQUEST['newdir'], 0777) or die("The folder could not be created. Make sure write permissions are enabled.");
} else {
$err_msgs .= "<b>The named folder already exists. Please specify a new name.</b>";
}
}
//Code continues to list the contents of the directory
# The directory that all viewable directories must be under
$root_dir = dirname(__FILE__);
# The subdirectory requested by the user
$requested_subdir = $_GET['dir'];
# The fully qualified & resolved file system path for the user requested subdirectory
$requested_fulldir = realpath($root_dir.'/'.$requested_subdir);
if(strpos($requested_fulldir,$root_dir) === 0)
echo 'Directory OK';
else
echo 'L33T HAXOR ALERT';
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Ahhh...now I get it! Thanks a lot pickle, that code worked beautifully. I'm not sure what was up with my server before, but it works now. Thanks again.