Page 2 of 2

Re: Review of a File Manager

Posted: Mon Apr 20, 2009 9:56 am
by pickle
You want ../ to be allowed? That could be dangerous. This code won't allow that - it will only allow access to child directories inside the current directory - not the parent directory.

Here's the code again, hopefully a little more clear:

Code: Select all

 
$dir_to_read = "user/supplied/subdirectory";
 
$full_path_to_search = realpath(dirname(__FILE__).$dir_to_read);
$path_of_current_file = dirname(__FILE__);
 
 
if(strpos($full_path_to_search,$path_of_current_file) === 0) {
   echo('Directory OK');
}

Re: Review of a File Manager

Posted: Wed Apr 22, 2009 7:34 pm
by silverspy18
Sorry if I wasn't clear, I certainly don't want ../ to be allowed. However for some reason the code is allowing '../', and './..', which leads to the same directory is denied. Every other folder returns the correct result, child folders are allowed, and parent folders are denied. Plus, when I upload it to my remote host (running Linux), the code doesn't work at all as $full_path_to_search is returned as empty. Here is the code I am using:

Code: Select all

 
<?php session_start();
//Begin microtime timer
$microtime_0 = microtime();
 
//Include external class that holds application settings
include("./fm_assets/appconfig.php");
 
//Construct instance of class app_config
$app_config = new app_config;
 
//Declare initial variables
$dir_to_read = "./";
$ico_dir = "./fm_assets/ico/";
$date_format = "d-m-y g:i:s a";
 
//Null declarations
$str_to_echo = "";
$dir_files = array();
$file_ext = array();
$err_msgs = "";
$edit_str= "";
$dir_folders = array();
 
//Load application configuration
if (file_exists('./fm_assets/config.txt')) {
    $app_config = unserialize(base64_decode(file_get_contents('./fm_assets/config.txt')));
} else {
    echo("<b>Note: The required configuration file does not exist.</b>");
}
 
//Define hidden files and folders
$dir_to_hide = $app_config->dir_to_hide;
$ext_to_hide = $app_config->ext_to_hide;
 
//Define directory to read from configuration file
$dir_to_read = $app_config->dir_to_read;
 
 
//Check if login attempt was made, if so check credentials
if (isset($_REQUEST['cklogin'])) {
    if (in_array($_POST['user'], $app_config->users)) {
        if ($app_config->passwords[$_POST['user']] == $_POST['pass']) {
            $_SESSION['reguser'] = $_POST['user'];
        } else {
            $err_msgs .= "Incorrect username and password.";
            $_SESSION['reguser'] = 'public';
        }
    } else {
        $err_msgs .= "Incorrect username and password.";
        $_SESSION['reguser'] = 'public';
    }
}
 
//Check if logout request was made, if so kill session
if (isset($_REQUEST['logout'])) {session_unset();}
 
//Check if session variable that holds current login user name is set, if not set to public
if (!isset($_SESSION['reguser'])) {$_SESSION['reguser'] = 'public';}
 
//Get directory to read if provided in URL
if (isset($_REQUEST['dir'])) {$dir_to_read = $_REQUEST['dir'];}
 
//Check that the directory to be read has a / at the end, if not, put one there
if (substr($dir_to_read, -1) != "/") {$dir_to_read .= "/";}
 
$full_path_to_search = realpath(dirname(__FILE__).$dir_to_read);
$path_of_current_file = dirname(__FILE__);
 
if(strpos($full_path_to_search,$path_of_current_file) === 0) {
    echo('Directory OK');
 }
 
 echo('<br />$full_path_to_search: '.realpath(dirname(__FILE__).$dir_to_read));
 echo('<br />$path_of_current_file: '. dirname(__FILE__));
 echo('<br />$dir_to_read: '.$dir_to_read);
 echo('<br />$_GET[DIR]: '.$_GET['dir']);
 
//Check if there was a request to create a new directory, if so create it
if (isset($_REQUEST['newdir'])) {
    if (!is_dir($_REQUEST['dir'].$_REQUEST['newdir'])) {
        mkdir($_REQUEST['dir'].$_REQUEST['newdir'], 0777) or die("The folder could not be created. Make sure write permissions are enabled.");
    } else {
        $err_msgs .= "<b>The named folder already exists. Please specify a new name.</b>";
    }
}
//Code continues to list the contents of the directory
 
Here is an example of the problem (on remote host) if it serves any help: http://noname.aband0ned.net/fmdemo/debu ... php?dir=./

Thanks a lot.

Re: Review of a File Manager

Posted: Thu Apr 23, 2009 9:51 am
by pickle
I'm not sure what you're setting $dir_to_read to in your config. On the page, it looks like it's just being set to whatever $_GET['dir'] is.

This code has been tested & works on my server. Sorry about always changing the variable names. I'm just trying to make the process more clear.

Code: Select all

# The directory that all viewable directories must be under
$root_dir = dirname(__FILE__);
 
# The subdirectory requested by the user
$requested_subdir = $_GET['dir'];
 
# The fully qualified & resolved file system path for the user requested subdirectory
$requested_fulldir = realpath($root_dir.'/'.$requested_subdir);
 
if(strpos($requested_fulldir,$root_dir) === 0)
    echo 'Directory OK';
else
    echo 'L33T HAXOR ALERT';

Re: Review of a File Manager

Posted: Mon Apr 27, 2009 4:08 pm
by silverspy18
Ahhh...now I get it! Thanks a lot pickle, that code worked beautifully. I'm not sure what was up with my server before, but it works now. Thanks again.