如何知道当前目录树中是否存在文件 [英] how do I know if a file exists in the current directory tree

问题描述

我想检查文件路径是否在当前目录树中.

I want to check if a file path is in current directory tree.

假设参数为 js/script.js.我的工作目录 (WD) 是 /home/user1/public_html/site

Suppose the parameter is given as js/script.js. My working directory (WD) is /home/user1/public_html/site

现在对于当前的 WD，如果有人提供 js/script.js 我可以简单地通过附加到 WD 来检查它.它适用于这种正常路径.但是如果有人(可能是攻击者)想要通过 ../../../../etc/password ，那将是一个问题.

Now for current WD if someone supplies js/script.js I can simply check it by appending to the WD. It works for such normal path. But if anyone (may be an attacker) wants to pass ../../../../etc/password it'd be a problem.

我知道可以通过使用某些 RegEx 删除 .. 字符来抑制它.这肯定会解决它.但我想知道如何创建某种 chrooted 环境，以便在 WD 下搜索任何路径/到/脚本?

I know it can be suppressed by removing the .. characters using some RegEx. And that will solve it for sure. But I want to know how can I create some sort of chrooted environment sot that whatever path/to/script is passed it will be searched under WD?

我知道 http://php.net/chroot.它要求您的应用程序以 root 权限运行.

I am aware of http://php.net/chroot. it requires your app to run with root privileges.

推荐答案

http://php.net/manual/en/function.realpath.php

$chroot = '/var/www/site/userdata/';
$basefolder = '/var/www/site/userdata/mine/';

$param = '../../../../etc/password';
$fullpath = realpath($basefolder . $param);

if (strpos($fullpath, $chroot) !== 0) {
  // GOTCHA
}

这篇关于如何知道当前目录树中是否存在文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！