Posted by Adrienne Boswell on 06/18/07 04:41

Gazing into my crystal ball I observed dorayme
<doraymeRidThis@optusnet.com.au> writing in
news:doraymeRidThis-0800D5.08394318062007@news-vip.optusnet.com.au:

> In article <Xns99525C554B928arbpenyahoocom@69.28.186.121>,
> Adrienne Boswell <arbpen@yahoo.com> wrote:
>
>> Gazing into my crystal ball I observed dorayme
>> <doraymeRidThis@optusnet.com.au> writing in news:doraymeRidThis-
>> 33C704.19215517062007@news-vip.optusnet.com.au:
>>
>> > For many web sites hosted on Unix servers I use (happily) a
>> > construction like this for includes:
>> >
>> ><?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
>> > ?>
>> >
>> > But this does not work on Windows servers. Does anyone know a
>> > likely other candidate expression that will tell the server to go
>> > to the level at which I have the site index file and look inside
>> > a folder called 'includes'? No matter where it appears deep
>> > inside the website directories?
>> >
>> > It sort of spoils the point to be tailoring each path to where
>> > the html file happens to be with "../"s (which, of course,
>> > "works").
>> >
>> > I know, I have wondered about this before and never really got
>> > anywhere. Seem unable to have used any previous remarks to
>> > advantage or have now forgotten them.
>> >
>>
>> It's a security issue, designed to keep attackers from getting to
>> sensitive files on the file system. In IIS6, parent paths are
>> disabled by default. The only way to get past it is to get the
>> server admin to change it.
>
> In fact, although it is a bit of a bore, I have started putting
> in the actual paths to the includes into each file on sites I
> have on Windows Servers, it is still worth it. At least then, if
> I change the includes file, it all happens.

Problem comes in when you have:

httpdocs
httpdocs/somefolder

and you want to go from somefolder to httpdocs. Windows has a fit.

>
> But I am curious. Is there a worrying security issue with the
> "global" method of doing what I do on Unix servers? i.e.:
>
><?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
> ?>
>
> ?
>

Probably not, since that global method points to the folder where the site
is configured.

> The includes folder is just at the level of the main home page
> file (index.html ... this is usually the public_html level,
> yes?), no higher or more unreachable.
>

That's the way it's _supposed_ to work. Probably something like SQL
injection, if you can get the server to send a little information about
itself, you could get to other areas.

> And supposing I did ask the Windows server people to enable me to
> globally specify a folder at the public_html level, I am curious:
> what expression would I then use to specify the path, the same as
> with the Unix server expression above or something rather
> different?
>

Parent paths are enabled on a site by site basis. I would image your code
would be exactly the same thing.


--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

[Back to original message]