php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #30918 Add a "non-local" flag param to realpath
Submitted: 2004-11-27 10:39 UTC Modified: -
From: dewi at morganalley dot com Assigned:
Status: Open Package: Feature/Change Request
PHP Version: 5.0.2 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dewi at morganalley dot com
New email:
PHP Version: OS:

 

 [2004-11-27 10:39 UTC] dewi at morganalley dot com
Description:
------------
Description of issues:
======================

1) From the user-comments on the online documentation page for the realpath() function, it can be seen that there is a significant need for a function that will clean paths, but will not require them to be local.

That is, it will not check for existence of all directory elements, and will not expand symlinks: it will merely parse the directory as a string, replacing all '//' and '/./' with single '/', dealing with '/../' elements, stripping any trailing '/', then replacing empty ('') paths with a single dot ('.').

While on the face of it, this seems fairly trivial to write as a user function, the user-comments on the online documentation give the lie to this: to get such a function compatible both with windows and linux, portably, is non-trivial.

2) under windows, realpath() already fulfils this purpose, as it does not check for existence (I have not checked, but the user comments in the online documentation say that this is the case). I assume this is because it does not need to check for symlinks.

3) This parsing-as-a-string should be the first step for realpath() anyway, as currently it will return false on the string "/nonexistent-path/..", even though, as a string this evaluates to '/', and so does exist.


Expected result:
----------------
Suggested solution:
===================

Add an optional second parameter to realpath(), made from the flags FOLLOW_SYMLINKS, and PATH_MUST_EXIST. This will then allow non-local and vortual paths to be cleaned.

For security, a further, third parameter could be added, defaulting to '', that specifies a directory above which the path may not go, with '..'. So realpath("/var/www/foo/../../../etc/", true, "/var/www/") would evaluate to "/var/www/etc/". This would give users who are not using safe mode a very easy way to validate that directories are at least somewhat secure.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jan 18 07:01:23 2020 UTC