On Tue, 16 Sep 2003 14:03:34 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,
thanks you for your answer.
Actually, I found the problem.
The real filenames contain space so you need to use the URLENCODE
function before calling the download.php script.
Otherwise, the $GET function returns an empty string when trying to
get the parameters. (only with N4.7)
Ahh interesting Rod, but it makes sense. I personally try and avoid
files with spaces like the plague, and use a _ (underscore) instead
(file_name.txt etc).. althoguh this might not be an option for you
(depending on the nature of your site).
Regarding the security, your're right!
Actually, what I did is an application that browse a specific
directory with all its sub-directories.
When the user clickes on a file within a directory, it is downloaded.
I think I should check that there are no ".." characters in the
filename to be sure the file is in a sub-directory of the main
directory. Do you think it is enough?
any idea?
thanks again
Are you the admin of the server Rod? If so, it migt be worth thinking
about the safemode and open_basedir options in php.ini which will hyelp
you define what dirs a script can access. You need to define an
"absolute base" somewhere safe.. even if it's a directory like:
'/foo/repository'. Let them browse 'til their heart's content, but don't
let them out of it. Again, this might not be a possability, I really
don't know the nature of your script or what kind of filesystem access
you're giving people or what they need.
Checking for '.' and '..' are important.. something like:
if (substr($file, 0, 1) != '.' || substr($file, 0, 2) != '..') {
/* display non . | .. directories and non dotfiles (.htaccess) */
}
Assumptions made here with $file for demo purposes, but this is how I
at least start with scripts that read directory contents.
I'm writing a filemanager for a Web control panel app I'm coding, this
will be defined as the users Webroot dir as the base
(/home/someone/html). They'll be able to browse any files / dirs within
there (including dotfiles as they'll own them) but they won't be able to
access '/home/someone' for example. This prevents them "leaking" around
the rest of the file system too.
</2p_worth>
Regards,
Ian
--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.