listing a folder content : how to prevent user from going above the authorized directory?

Question

Hi,

i'm working on a script to allow users to browse a given directory, which is not the directory this file is sitting in, but set in a variable.

 define('FOLDER', '../_files/');

Now, the rendred html allows to navigate subfolders inside that folder. I use a "dir" GET variable to tell my script which subfolder's content to display and a ".." link allowing to go upwards, using that same dir variable.

I've set a check that if $_GET['dir'] is equals to FOLDER, it should not display that ".." link. But it's easy enough to mess with that variable sitting in the url and wherever i do that, my script allows to browse above the authorized folder. Not exactly a safe situation...

So i'm thinking i should check the full local path of the authorized directory against the requested directory and if the latter is not inside the authorized one, not display the "..".

But i don't know how to do that. Any hints or pointer would be appreciated. Thanks

Answer 1

You might want to look at realpath().

$foo = realpath($foo);
if (substr($foo, 0, 8) != '/my/path') {
    return false;
}

...or something like that.

Copied from this answer, since I think this question is better.

Answer 2

or you could use regex

$requested = realpath($foo);
$allowedpath = '/path/to/allowed';

$regex = '/^'.addslashes($allowedpath).'\/?.*$/';

if (!preg_match($regex, $requested)) {
    return false;
}