Directory above designated root dir

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Schraalhans Keukenmeester
    #1

    Directory above designated root dir

    A few of my customers have access to a simplified web-based ftp client to
    their relative root directories, all sub[sub]dirs of my main domain root.

    Most of the code in my ftp class seems pretty
    efficient, easy to maintain, and elegant at times. Somehow I keep fighting
    with one issue:

    When a user attempts to change dirs (they only can do so via the provided
    method of my ftp class, they never 'see' the actual connection resource) I
    have to check whether the desired new directory is *):

    1. a valid directory
    2. can be reached from the current working directory (or has a full path)
    3. is not above their root directory

    *) As long as user doesn't fiddle with POST vars I'll never come across
    that bridge, but hey, you shouldn't trust user data, ever.

    I am particularly unhappy about my implementation of test 3. I end
    up doing a lot of str_len() compares on target and root strings, testing
    whether one is a substr of the other and vice versa, and all that results
    in a yes or no on the big question. It works, but it's Ugly, and probably
    dumb.

    Somehow I am *sure* this is a silly way of going about it. Yet each new
    attempt I keep ending up with something similar. Call it tunnelvision or
    one-man-group-think. Had it before, and seen it with others. Something
    human,I suppose.

    Does anyone have a simple, elegant solution for this common test, whether
    or not a dir is above or under another dir?

    Thanks in advance for your help,
    Best,

    Sh.



    Tags: None
    • Schraalhans Keukenmeester
      #2
      Re: Directory above designated root dir

      On Fri, 27 Apr 2007 21:29:45 +0200, Schraalhans Keukenmeester wrote:

      When a user attempts to change dirs (they only can do so via the provided
      method of my ftp class, they never 'see' the actual connection resource) I
      have to check whether the desired new directory is:
      >
      1. a valid directory
      2. can be reached from the current working directory (or has a full path)
      3. is not above their root directory
      >
      I am particularly unhappy about my implementation of test 3. I end
      up doing a lot of str_len() compares on target and root strings, testing
      whether one is a substr of the other and vice versa, and all that results
      in a yes or no on the big question. It works, but it's Ugly, and probably
      dumb.
      Think I've seen the light. New solution:

      public function ChangeDir ($targetdir) {
      // $this->real_user_ftp_ root = '/var/www/clients/mydomain/users/foo';
      if ($targetdir != '/') {
      $targetdir = $this->GetCurrentDir( ).'/'.$targetdir;
      }
      else {
      $targetdir='';
      }
      $target_real_di r = realpath($this->real_user_ftp_ root.'/'.$targetdir);
      if (str_str($targe t_real_dir, $this->real_user_ftp_ root)===false) {
      trigger_error ("$targetdir is not in the allowed path",E_USER_NO TICE);
      return false;
      }
      if (!ftp_chdir($ta rgetdir,$this->connection)) {
      trigger_error ("Unable to change to $targetdir,E_US ER_NOTICE);
      return false;
      }
      $this->GetCurrentDir( );
      return true;
      }

      Not ideal, but way better than what I had before. Thanks, me!
      Comments welcome, of course.

      Sh.

        Comment

        Previous template Next
        Working...