Page 2 of 2
Re: Review of a File Manager
Posted: Mon Apr 20, 2009 9:56 am
by pickle
You want ../ to be allowed? That could be dangerous. This code won't allow that - it will only allow access to child directories inside the current directory - not the parent directory.
Here's the code again, hopefully a little more clear:
Code: Select all
$dir_to_read = "user/supplied/subdirectory";
$full_path_to_search = realpath(dirname(__FILE__).$dir_to_read);
$path_of_current_file = dirname(__FILE__);
if(strpos($full_path_to_search,$path_of_current_file) === 0) {
echo('Directory OK');
}
Re: Review of a File Manager
Posted: Wed Apr 22, 2009 7:34 pm
by silverspy18
Sorry if I wasn't clear, I certainly don't want ../ to be allowed. However for some reason the code is allowing '../', and './..', which leads to the same directory is denied. Every other folder returns the correct result, child folders are allowed, and parent folders are denied. Plus, when I upload it to my remote host (running Linux), the code doesn't work at all as $full_path_to_search is returned as empty. Here is the code I am using:
Code: Select all
<?php session_start();
//Begin microtime timer
$microtime_0 = microtime();
//Include external class that holds application settings
include("./fm_assets/appconfig.php");
//Construct instance of class app_config
$app_config = new app_config;
//Declare initial variables
$dir_to_read = "./";
$ico_dir = "./fm_assets/ico/";
$date_format = "d-m-y g:i:s a";
//Null declarations
$str_to_echo = "";
$dir_files = array();
$file_ext = array();
$err_msgs = "";
$edit_str= "";
$dir_folders = array();
//Load application configuration
if (file_exists('./fm_assets/config.txt')) {
$app_config = unserialize(base64_decode(file_get_contents('./fm_assets/config.txt')));
} else {
echo("<b>Note: The required configuration file does not exist.</b>");
}
//Define hidden files and folders
$dir_to_hide = $app_config->dir_to_hide;
$ext_to_hide = $app_config->ext_to_hide;
//Define directory to read from configuration file
$dir_to_read = $app_config->dir_to_read;
//Check if login attempt was made, if so check credentials
if (isset($_REQUEST['cklogin'])) {
if (in_array($_POST['user'], $app_config->users)) {
if ($app_config->passwords[$_POST['user']] == $_POST['pass']) {
$_SESSION['reguser'] = $_POST['user'];
} else {
$err_msgs .= "Incorrect username and password.";
$_SESSION['reguser'] = 'public';
}
} else {
$err_msgs .= "Incorrect username and password.";
$_SESSION['reguser'] = 'public';
}
}
//Check if logout request was made, if so kill session
if (isset($_REQUEST['logout'])) {session_unset();}
//Check if session variable that holds current login user name is set, if not set to public
if (!isset($_SESSION['reguser'])) {$_SESSION['reguser'] = 'public';}
//Get directory to read if provided in URL
if (isset($_REQUEST['dir'])) {$dir_to_read = $_REQUEST['dir'];}
//Check that the directory to be read has a / at the end, if not, put one there
if (substr($dir_to_read, -1) != "/") {$dir_to_read .= "/";}
$full_path_to_search = realpath(dirname(__FILE__).$dir_to_read);
$path_of_current_file = dirname(__FILE__);
if(strpos($full_path_to_search,$path_of_current_file) === 0) {
echo('Directory OK');
}
echo('<br />$full_path_to_search: '.realpath(dirname(__FILE__).$dir_to_read));
echo('<br />$path_of_current_file: '. dirname(__FILE__));
echo('<br />$dir_to_read: '.$dir_to_read);
echo('<br />$_GET[DIR]: '.$_GET['dir']);
//Check if there was a request to create a new directory, if so create it
if (isset($_REQUEST['newdir'])) {
if (!is_dir($_REQUEST['dir'].$_REQUEST['newdir'])) {
mkdir($_REQUEST['dir'].$_REQUEST['newdir'], 0777) or die("The folder could not be created. Make sure write permissions are enabled.");
} else {
$err_msgs .= "<b>The named folder already exists. Please specify a new name.</b>";
}
}
//Code continues to list the contents of the directory
Here is an example of the problem (on remote host) if it serves any help:
http://noname.aband0ned.net/fmdemo/debu ... php?dir=./
Thanks a lot.
Re: Review of a File Manager
Posted: Thu Apr 23, 2009 9:51 am
by pickle
I'm not sure what you're setting $dir_to_read to in your config. On the page, it looks like it's just being set to whatever $_GET['dir'] is.
This code has been tested & works on my server. Sorry about always changing the variable names. I'm just trying to make the process more clear.
Code: Select all
# The directory that all viewable directories must be under
$root_dir = dirname(__FILE__);
# The subdirectory requested by the user
$requested_subdir = $_GET['dir'];
# The fully qualified & resolved file system path for the user requested subdirectory
$requested_fulldir = realpath($root_dir.'/'.$requested_subdir);
if(strpos($requested_fulldir,$root_dir) === 0)
echo 'Directory OK';
else
echo 'L33T HAXOR ALERT';
Re: Review of a File Manager
Posted: Mon Apr 27, 2009 4:08 pm
by silverspy18
Ahhh...now I get it! Thanks a lot pickle, that code worked beautifully. I'm not sure what was up with my server before, but it works now. Thanks again.