|
|
Posted by Schraalhans Keukenmeester on 04/28/07 07:54
On Fri, 27 Apr 2007 21:29:45 +0200, Schraalhans Keukenmeester wrote:
> When a user attempts to change dirs (they only can do so via the provided
> method of my ftp class, they never 'see' the actual connection resource) I
> have to check whether the desired new directory is:
>
> 1. a valid directory
> 2. can be reached from the current working directory (or has a full path)
> 3. is not above their root directory
>
> I am particularly unhappy about my implementation of test 3. I end
> up doing a lot of str_len() compares on target and root strings, testing
> whether one is a substr of the other and vice versa, and all that results
> in a yes or no on the big question. It works, but it's Ugly, and probably
> dumb.
Think I've seen the light. New solution:
public function ChangeDir ($targetdir) {
// $this->real_user_ftp_root = '/var/www/clients/mydomain/users/foo';
if ($targetdir != '/') {
$targetdir = $this->GetCurrentDir().'/'.$targetdir;
}
else {
$targetdir='';
}
$target_real_dir = realpath($this->real_user_ftp_root.'/'.$targetdir);
if (str_str($target_real_dir, $this->real_user_ftp_root)===false) {
trigger_error ("$targetdir is not in the allowed path",E_USER_NOTICE);
return false;
}
if (!ftp_chdir($targetdir,$this->connection)) {
trigger_error ("Unable to change to $targetdir,E_USER_NOTICE);
return false;
}
$this->GetCurrentDir();
return true;
}
Not ideal, but way better than what I had before. Thanks, me!
Comments welcome, of course.
Sh.
Navigation:
[Reply to this message]
|