I am trying to make a script that lists only folders within a folder. The thing is that I have users who can create folders within their folders so basically what I'm trying to do is to have a way for users to manage their folders and storing files... My problem is that I want to make php "think" that the root folder is their home directory and they cannot go upper than their home directory. Currently my php function doesn't do that, it only shows the content of the directory...and if the user goes one level up and again one level up ...and so on....he could browse the entire hard drive.
function directoryList($path) {
$dirStruct = array();
if(is_dir($path)) {
$handle = opendir($path);
while(($file = readdir($handle)) !== false) {
if(@opendir($path.$file)) {
chdir($path.$file);
$absolutepath = getcwd();
$dirStruct[] = array('path' => $absolutepath.'\\', 'name'=>$file);
}
}
}
return $dirStruct;
}
Instead of giving the user an absolute path, only allow them to specify paths which are relative to a given base path. Next, write a function which removes any "/../" for the relative path and you're safe (as long as users can't create links on the server ...).
If you want to be nice, you can match the ".." with the element before that (so "a/../b" would become "b", i.e. the ".." remove the "a") or ignore the ".." if there is no path element before it.