|
Posted by Evan Charlton on 08/06/07 19:53
techusky@gmail.com wrote:
>
> Now, I realize this is NOT a secure directory listing, because someone
> could simply append "/.." to the url and keep moving up directories
> even if they are out of the realm of the web server. Is there an
> *easy* way to "lock" this script from going up a directory from where
> the script is stored? In other words, I want users to be able to
> navigate DOWN in whatever directories may exist, but not UP *past* the
> directory in which the script is located.
>
A simple way to check would be to replace any "." (and associated HTML
codes so it can't be 'fooled') in the URL before parsing so that they
have no effect. I believe this would be secure; anyone see any holes in
the logic?
- Evan Charlton
[Back to original message]
|