Enhancing PHP realpath($path);
up vote
2
down vote
favorite
PHP realpath($path); is insufficient for some cases since it returns false on paths that dont exist on a file system.
I need a function that extends realpath($path); to return even path that does not exist yet. Such function would be used for keeping a user within his filesystem directory and/or restricting modifications to some directories and files.
function DesiredRealPath($path_string) {
$desired_path = explode("/", str_replace("\", "/", $path_string)); // convert back slashes to front slashes and create array of desired directories
$real_path = explode("/", str_replace("\", "/", realpath("."))); // convert back slashes to front slashes and create array of actual directories
if(mb_substr($path_string, 0, 1) == "/" || mb_substr($path_string, 0, 1) == "\") { // if path string begins with a slash, slice all actual directories except for root
$real_path = array_slice($real_path, 0, 1); // "/" points to root directory
}
foreach ($desired_path as $desired_element) {
switch ($desired_element) {
case "":
break;
case ".":
break;
case "..": // remove last element of actual directories if array has at least 2 directories left
if(count($real_path) >= 2) {
array_pop($real_path);
}
break;
default: // push desired directory into actual directories
array_push($real_path, $desired_element);
break;
}
}
return implode("/", $real_path); // put array of actual directories into a string
}
So far I have tested on both Windows and Linux, this function has determined precise directory even non-existant ones.
My question is, whether this function has any flaws or security vulnerabilities?
php security
New contributor
add a comment |
up vote
2
down vote
favorite
PHP realpath($path); is insufficient for some cases since it returns false on paths that dont exist on a file system.
I need a function that extends realpath($path); to return even path that does not exist yet. Such function would be used for keeping a user within his filesystem directory and/or restricting modifications to some directories and files.
function DesiredRealPath($path_string) {
$desired_path = explode("/", str_replace("\", "/", $path_string)); // convert back slashes to front slashes and create array of desired directories
$real_path = explode("/", str_replace("\", "/", realpath("."))); // convert back slashes to front slashes and create array of actual directories
if(mb_substr($path_string, 0, 1) == "/" || mb_substr($path_string, 0, 1) == "\") { // if path string begins with a slash, slice all actual directories except for root
$real_path = array_slice($real_path, 0, 1); // "/" points to root directory
}
foreach ($desired_path as $desired_element) {
switch ($desired_element) {
case "":
break;
case ".":
break;
case "..": // remove last element of actual directories if array has at least 2 directories left
if(count($real_path) >= 2) {
array_pop($real_path);
}
break;
default: // push desired directory into actual directories
array_push($real_path, $desired_element);
break;
}
}
return implode("/", $real_path); // put array of actual directories into a string
}
So far I have tested on both Windows and Linux, this function has determined precise directory even non-existant ones.
My question is, whether this function has any flaws or security vulnerabilities?
php security
New contributor
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
PHP realpath($path); is insufficient for some cases since it returns false on paths that dont exist on a file system.
I need a function that extends realpath($path); to return even path that does not exist yet. Such function would be used for keeping a user within his filesystem directory and/or restricting modifications to some directories and files.
function DesiredRealPath($path_string) {
$desired_path = explode("/", str_replace("\", "/", $path_string)); // convert back slashes to front slashes and create array of desired directories
$real_path = explode("/", str_replace("\", "/", realpath("."))); // convert back slashes to front slashes and create array of actual directories
if(mb_substr($path_string, 0, 1) == "/" || mb_substr($path_string, 0, 1) == "\") { // if path string begins with a slash, slice all actual directories except for root
$real_path = array_slice($real_path, 0, 1); // "/" points to root directory
}
foreach ($desired_path as $desired_element) {
switch ($desired_element) {
case "":
break;
case ".":
break;
case "..": // remove last element of actual directories if array has at least 2 directories left
if(count($real_path) >= 2) {
array_pop($real_path);
}
break;
default: // push desired directory into actual directories
array_push($real_path, $desired_element);
break;
}
}
return implode("/", $real_path); // put array of actual directories into a string
}
So far I have tested on both Windows and Linux, this function has determined precise directory even non-existant ones.
My question is, whether this function has any flaws or security vulnerabilities?
php security
New contributor
PHP realpath($path); is insufficient for some cases since it returns false on paths that dont exist on a file system.
I need a function that extends realpath($path); to return even path that does not exist yet. Such function would be used for keeping a user within his filesystem directory and/or restricting modifications to some directories and files.
function DesiredRealPath($path_string) {
$desired_path = explode("/", str_replace("\", "/", $path_string)); // convert back slashes to front slashes and create array of desired directories
$real_path = explode("/", str_replace("\", "/", realpath("."))); // convert back slashes to front slashes and create array of actual directories
if(mb_substr($path_string, 0, 1) == "/" || mb_substr($path_string, 0, 1) == "\") { // if path string begins with a slash, slice all actual directories except for root
$real_path = array_slice($real_path, 0, 1); // "/" points to root directory
}
foreach ($desired_path as $desired_element) {
switch ($desired_element) {
case "":
break;
case ".":
break;
case "..": // remove last element of actual directories if array has at least 2 directories left
if(count($real_path) >= 2) {
array_pop($real_path);
}
break;
default: // push desired directory into actual directories
array_push($real_path, $desired_element);
break;
}
}
return implode("/", $real_path); // put array of actual directories into a string
}
So far I have tested on both Windows and Linux, this function has determined precise directory even non-existant ones.
My question is, whether this function has any flaws or security vulnerabilities?
php security
php security
New contributor
New contributor
New contributor
asked yesterday
Gordon Casper
1111
1111
New contributor
New contributor
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Gordon Casper is a new contributor. Be nice, and check out our Code of Conduct.
Gordon Casper is a new contributor. Be nice, and check out our Code of Conduct.
Gordon Casper is a new contributor. Be nice, and check out our Code of Conduct.
Gordon Casper is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Code Review Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209071%2fenhancing-php-realpathpath%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown