Ok for a file editor thing i got i have it get the location of the file im editing/viewing vie get file so it unsafe as could potentionally view and edit any file on system.

i have a defined thing which has the allowed path so like for example on my testing server thats M:/server/xampp/htdocs/calm/ i have this defined and is PHP_FILE_TREE_PATH

i made a really bad and sleepy attempt with this :P

PHP Code:

$file_path = "/".PHP_FILE_TREE_PATH."^/";
if(preg_match($file_path, $file_edit, $matches))
{
if($matches > 1)
{
readfile($file_edit);
}
}
else{ echo 'Hack attempt detected'; }
} #edit file_edit isset 


So basically my idea being i want to check that the first part of the path matched the allowed, which mean sthey are only accessing a file above the allowed dir Got me?

So how do i do this?

Regular expressions aren't the fastest things in the world, so it's best to avoid them if possible. I think this might be such a case here where you don't need them, but it depends how you set things up.

PHP Code:

if (strpos($file_edit, PHP_FILE_TREE_PATH) === 0)){ // if PHP_FILE_TREE_PATH is at the beginning of $file_edit...
  readfile($file_edit);
}else{
  echo 'Hack attempt detected';
} 


Some notes: if you are using PHP 5, you can replace strpos with stripos (case insensitive). If not, you will want to do a strtolower() before you execute strpos().

On a side note, I actually don't like this way of validating which files can be edited. It just doesn't seem very secure. What if someone enters "/a/valid/directory/../../private_directory/file.php"? I don't know what would happen there. I'd personally prefer to use a database table to list specific files. It would likely be more secure because the users could only choose files listed in the table, and you could add more functionality, such as group file permissions.

Thanks, i guess its better than non, and i will probably end up developing this further in the futrue.

i will test its security as well so i know it weaknesss.

Just tested it and yes it has the exact weakness you said if i directly try to access anything before the allowed folder it shows hack attempt iff i do allowed/../notalowed it shows the file.

How ever i am not amazingly worried as this would be intended for a CMS were it would be in a protected area, and only if they also have access to change CMOD settings could the edit so all they could really do was look.. unless the file is cmodded so its writeable.

But thanks, this is a Ok temp thing.

Ok i just had a thought i would like to throw at you.

As you can probably tell i would like to get a CMS project together, would you be interested in developing the file manager?
should be a fairly basic thing, just something where users can edit their files (NOT CONTENT) basically so they could modify a template or a script or what have you. basically something to view some of the files they might like to hack a bit.

Dan

u really did this?

What are you refering to me doing and ill tell you if i did it :?

Dan, I noticed one thing that might cause some trouble:

$file_path = "/".PHP_FILE_TREE_PATH."^/";

The carrot (^) is to mark the beginning of a string. To mark the end of a string use ($)

$file_path = "/".PHP_FILE_TREE_PATH."$/";

yea i forgot

im using frosts snippet at the moment even tho it isnt fully secure.