Posted by techusky on 08/06/07 19:01

On Aug 6, 11:38 am, techu...@gmail.com wrote:
> On Aug 6, 11:14 am, Matt Madrid <admiral...@gmail.com> wrote:
>
>
>
> > techu...@gmail.com wrote:
>
> > [snip]
>
> > > <?php
>
> > > // Tell the script which directory to list
> > > $nav = $_GET['nav'];
> > > $dir = getcwd() . "\\" . $nav;
>
> > I gather from the "\\" that you are on a windows platform. No need
> > to use "\\", a "/" will do and make your code more portable.
>
> > [snip]
>
> > > if (!is_dir($file))
>
> > Here's your problem. You need to prepend the dirname to the filename
> > since you are not "in" the directory in question.
>
> > if (!is_dir("$dir/$file"))
>
> > The same goes for your other calls to is_dir() and is_file()
>
> > Matt M.
>
> Aha! Thank you sooo much. I knew it would be something very simple
> that I was just overlooking after staring at it too long.
>
> Also, just fyi, in order to navigate more than one directory deep, I
> had to change
>
> // If the file is a directory
> // add ?nav=$file to the url
> if (is_dir($file))
> {
> echo "<a href=\"listing.php?nav=$file\" target=\"_self\">$file</
> a><br>";
> }
>
> to
>
> // If the file is a directory
> // add ?nav=$file to the url
> if (is_dir("$dir/$file"))
> {
> echo "<a href=\"listing.php?nav=$nav/$file\" target=\"_self\">
> $file</a><br>";
> }

Now, I realize this is NOT a secure directory listing, because someone
could simply append "/.." to the url and keep moving up directories
even if they are out of the realm of the web server. Is there an
*easy* way to "lock" this script from going up a directory from where
the script is stored? In other words, I want users to be able to
navigate DOWN in whatever directories may exist, but not UP *past* the
directory in which the script is located.

[Back to original message]