Stop drive browsing

Shaped

Hi All,
Need a solution if you can, Ive built a file browsing function thats gonna be part of my CMS, Im running it local on a windows apache server, I pass values via the url.

Doing it this way u can browse to any drive on my pc. (not good)

It dont have to be super secure as only a admin will be looking at the script and theres code in place to protect the script unless your a admin.

Can anyone help me stopping the admin or even myself from passing w:\ or c:\ as the dir and viewing the contents of my drives.

I carnt just put a drive block in , i just want to stop people from going below www/
or public_html as it will be on.

		if (!$_GET['dir'])
		{
			$dir = '.';
		}
		else
		{
			$dir = $_GET['dir'];
		}

	$content .= createDir($dir);

	$filetoopen = opendir($dir);

	while ($file = readdir( $filetoopen )) 
	{
		if ( is_file( $dir.'/'.$file) )
		{
			$filelist[] = $dir.'/'.$file;
		}

		if ( is_dir( $dir.'/'.$file) )
		{	
			if ($file == '.' || $file == '..')
			{
				continue;
			}
			else
			{
				$dirlist[] = $dir.'/'.$file;
			}
		}

	}

thanku.

sneakyimp

One way would be to restrict your machine's permissions so that apache/php doesn't have access to most folders. This is probably a really good idea. Your apache/php install should not be able to write your system folder, for instance. i don't know much about how to do this on a windows machine.

Another thing you should do is prevent users from putting ".." into a directory. I don't know if you know this, but that allows users to browser the parent directory of some given directory.

And you should probably limit all directory reading to a subdirectory of some directory on your machine...something like this:

define('BROWSEABLE_DIR', '/home/user1/public_html/');
if (!$_GET['dir']) 
        { 
            $dir = BROWSEABLE_DIR; 
        } 
        else 
        { 
            $dir = BROWSEABLE_DIR . $_GET['dir']; 
        } 

    $path _parts = explode("/", $dir);
    if (in_array("..", $path_parts)) {
      die("invalid directory specified.");
    }

The basic idea is that all directories specified in the $_GET vars are relative to some baseline and that moving 'up' a directory is not permitted. i'm not certain this will solve your problem, but it should help.

Another useful php command is realpath()
http://us2.php.net/manual/en/function.realpath.php

instead of the actual check for ".." that I do, you could apply realpath to the directory argument. HOWEVER, realpath() returns false if the directory doesn't exist. I'm not sure if it works on directories...might just apply to files?

Shaped

Thanks sneaky,

that will work perfectly. on the live machine its linux so it will not be able to go below /home/ no matter what.