如何知道当前目录树中是否存在文件 [英] how do I know if a file exists in the current directory tree
问题描述
我想检查文件路径是否在当前目录树中.
I want to check if a file path is in current directory tree.
假设参数为 js/script.js
.我的工作目录 (WD) 是 /home/user1/public_html/site
Suppose the parameter is given as js/script.js
. My working directory (WD) is /home/user1/public_html/site
现在对于当前的 WD,如果有人提供 js/script.js
我可以简单地通过附加到 WD 来检查它.它适用于这种正常路径.但是如果有人(可能是攻击者)想要通过 ../../../../etc/password
,那将是一个问题.
Now for current WD if someone supplies js/script.js
I can simply check it by appending to the WD. It works for such normal path. But if anyone (may be an attacker) wants to pass ../../../../etc/password
it'd be a problem.
我知道可以通过使用某些 RegEx 删除 ..
字符来抑制它.这肯定会解决它.但我想知道如何创建某种 chroot
ed 环境,以便在 WD 下搜索任何路径/到/脚本?
I know it can be suppressed by removing the ..
characters using some RegEx. And that will solve it for sure. But I want to know how can I create some sort of chroot
ed environment sot that whatever path/to/script is passed it will be searched under WD?
我知道 http://php.net/chroot.它要求您的应用程序以 root 权限运行.
I am aware of http://php.net/chroot. it requires your app to run with root privileges.
推荐答案
http://php.net/manual/en/function.realpath.php
$chroot = '/var/www/site/userdata/';
$basefolder = '/var/www/site/userdata/mine/';
$param = '../../../../etc/password';
$fullpath = realpath($basefolder . $param);
if (strpos($fullpath, $chroot) !== 0) {
// GOTCHA
}
这篇关于如何知道当前目录树中是否存在文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!