|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #30918 Add a "non-local" flag param to realpath
Submitted: 2004-11-27 10:39 UTC Modified: 2021-08-23 14:46 UTC
From: dewi at morganalley dot com Assigned: cmb (profile)
Status: Wont fix Package: *General Issues
PHP Version: 5.0.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: dewi at morganalley dot com
New email:
PHP Version: OS:


 [2004-11-27 10:39 UTC] dewi at morganalley dot com
Description of issues:

1) From the user-comments on the online documentation page for the realpath() function, it can be seen that there is a significant need for a function that will clean paths, but will not require them to be local.

That is, it will not check for existence of all directory elements, and will not expand symlinks: it will merely parse the directory as a string, replacing all '//' and '/./' with single '/', dealing with '/../' elements, stripping any trailing '/', then replacing empty ('') paths with a single dot ('.').

While on the face of it, this seems fairly trivial to write as a user function, the user-comments on the online documentation give the lie to this: to get such a function compatible both with windows and linux, portably, is non-trivial.

2) under windows, realpath() already fulfils this purpose, as it does not check for existence (I have not checked, but the user comments in the online documentation say that this is the case). I assume this is because it does not need to check for symlinks.

3) This parsing-as-a-string should be the first step for realpath() anyway, as currently it will return false on the string "/nonexistent-path/..", even though, as a string this evaluates to '/', and so does exist.

Expected result:
Suggested solution:

Add an optional second parameter to realpath(), made from the flags FOLLOW_SYMLINKS, and PATH_MUST_EXIST. This will then allow non-local and vortual paths to be cleaned.

For security, a further, third parameter could be added, defaulting to '', that specifies a directory above which the path may not go, with '..'. So realpath("/var/www/foo/../../../etc/", true, "/var/www/") would evaluate to "/var/www/etc/". This would give users who are not using safe mode a very easy way to validate that directories are at least somewhat secure.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-23 14:46 UTC]
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: cmb
 [2021-08-23 14:46 UTC]
This feature request had no comments or upvotes for more than 15
years, so we can assume that there is not much interest in having
such function.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Sep 19 07:03:36 2021 UTC