By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,889 Members | 1,044 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,889 IT Pros & Developers. It's quick & easy.

Directory above designated root dir

P: n/a
A few of my customers have access to a simplified web-based ftp client to
their relative root directories, all sub[sub]dirs of my main domain root.

Most of the code in my ftp class seems pretty
efficient, easy to maintain, and elegant at times. Somehow I keep fighting
with one issue:

When a user attempts to change dirs (they only can do so via the provided
method of my ftp class, they never 'see' the actual connection resource) I
have to check whether the desired new directory is *):

1. a valid directory
2. can be reached from the current working directory (or has a full path)
3. is not above their root directory

*) As long as user doesn't fiddle with POST vars I'll never come across
that bridge, but hey, you shouldn't trust user data, ever.

I am particularly unhappy about my implementation of test 3. I end
up doing a lot of str_len() compares on target and root strings, testing
whether one is a substr of the other and vice versa, and all that results
in a yes or no on the big question. It works, but it's Ugly, and probably
dumb.

Somehow I am *sure* this is a silly way of going about it. Yet each new
attempt I keep ending up with something similar. Call it tunnelvision or
one-man-group-think. Had it before, and seen it with others. Something
human,I suppose.

Does anyone have a simple, elegant solution for this common test, whether
or not a dir is above or under another dir?

Thanks in advance for your help,
Best,

Sh.

Apr 27 '07 #1
Share this Question
Share on Google+
1 Reply


P: n/a
On Fri, 27 Apr 2007 21:29:45 +0200, Schraalhans Keukenmeester wrote:

When a user attempts to change dirs (they only can do so via the provided
method of my ftp class, they never 'see' the actual connection resource) I
have to check whether the desired new directory is:

1. a valid directory
2. can be reached from the current working directory (or has a full path)
3. is not above their root directory

I am particularly unhappy about my implementation of test 3. I end
up doing a lot of str_len() compares on target and root strings, testing
whether one is a substr of the other and vice versa, and all that results
in a yes or no on the big question. It works, but it's Ugly, and probably
dumb.
Think I've seen the light. New solution:

public function ChangeDir ($targetdir) {
// $this->real_user_ftp_root = '/var/www/clients/mydomain/users/foo';
if ($targetdir != '/') {
$targetdir = $this->GetCurrentDir().'/'.$targetdir;
}
else {
$targetdir='';
}
$target_real_dir = realpath($this->real_user_ftp_root.'/'.$targetdir);
if (str_str($target_real_dir, $this->real_user_ftp_root)===false) {
trigger_error ("$targetdir is not in the allowed path",E_USER_NOTICE);
return false;
}
if (!ftp_chdir($targetdir,$this->connection)) {
trigger_error ("Unable to change to $targetdir,E_USER_NOTICE);
return false;
}
$this->GetCurrentDir();
return true;
}

Not ideal, but way better than what I had before. Thanks, me!
Comments welcome, of course.

Sh.
Apr 28 '07 #2

This discussion thread is closed

Replies have been disabled for this discussion.