php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #30918 Add a "non-local" flag param to realpath
Submitted: 2004-11-27 10:39 UTC Modified: -
From: dewi at morganalley dot com Assigned:
Status: Open Package: Feature/Change Request
PHP Version: 5.0.2 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2004-11-27 10:39 UTC] dewi at morganalley dot com
Description:
------------
Description of issues:
======================

1) From the user-comments on the online documentation page for the realpath() function, it can be seen that there is a significant need for a function that will clean paths, but will not require them to be local.

That is, it will not check for existence of all directory elements, and will not expand symlinks: it will merely parse the directory as a string, replacing all '//' and '/./' with single '/', dealing with '/../' elements, stripping any trailing '/', then replacing empty ('') paths with a single dot ('.').

While on the face of it, this seems fairly trivial to write as a user function, the user-comments on the online documentation give the lie to this: to get such a function compatible both with windows and linux, portably, is non-trivial.

2) under windows, realpath() already fulfils this purpose, as it does not check for existence (I have not checked, but the user comments in the online documentation say that this is the case). I assume this is because it does not need to check for symlinks.

3) This parsing-as-a-string should be the first step for realpath() anyway, as currently it will return false on the string "/nonexistent-path/..", even though, as a string this evaluates to '/', and so does exist.


Expected result:
----------------
Suggested solution:
===================

Add an optional second parameter to realpath(), made from the flags FOLLOW_SYMLINKS, and PATH_MUST_EXIST. This will then allow non-local and vortual paths to be cleaned.

For security, a further, third parameter could be added, defaulting to '', that specifies a directory above which the path may not go, with '..'. So realpath("/var/www/foo/../../../etc/", true, "/var/www/") would evaluate to "/var/www/etc/". This would give users who are not using safe mode a very easy way to validate that directories are at least somewhat secure.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Sep 18 13:01:52 2019 UTC