php realpath() returns 空字符串
php realpath() returns a blank string
受此指导 post Preventing Directory Traversal in PHP but allowing paths 我试图阻止目录遍历,但我遇到了一些奇怪的事情,首先是 realpath returns 一个好的路径
$fPath = $path.$parent.'/'.$name;
//$name (the user input) in this sample is "fff", $parent is an empty string
//make sure user didn't try to traverse backwards on the basepath
$basepath = $path;
$realBase = realpath($basepath);
echo $realBase."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages
$userpath = $fPath;
echo $userpath."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages/fff
$realUserPath = realpath($userpath);
echo $realUserPath."<br/>";
//gives blank (an empty string).
有什么想法吗?
正如 AbraCadaver 在评论中所说,"This only works if the dir exists. To validate/sanitize the user supplied dir you will need some rules and clean it or reject it."
受此指导 post Preventing Directory Traversal in PHP but allowing paths 我试图阻止目录遍历,但我遇到了一些奇怪的事情,首先是 realpath returns 一个好的路径
$fPath = $path.$parent.'/'.$name;
//$name (the user input) in this sample is "fff", $parent is an empty string
//make sure user didn't try to traverse backwards on the basepath
$basepath = $path;
$realBase = realpath($basepath);
echo $realBase."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages
$userpath = $fPath;
echo $userpath."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages/fff
$realUserPath = realpath($userpath);
echo $realUserPath."<br/>";
//gives blank (an empty string).
有什么想法吗?
正如 AbraCadaver 在评论中所说,"This only works if the dir exists. To validate/sanitize the user supplied dir you will need some rules and clean it or reject it."