Custom directory listing and $_GET question

I have a *very* simple script written that displays the directory
listing of the current working directory, but I am having some
difficulty when I try to change folders. Basically, I have my $dir
variable set to this: --- $dir = getcwd() . "\\" . $nav; --- but for
some reason the script does not actually display the contents of the
directory if you change from the directory the script is located in.

Here is my code if someone is willing to take a quick look to tell me
where I am going wrong:



// Tell the script which directory to list
$nav = $_GET['nav'];
$dir = getcwd() . "\\" . $nav;

// Open the directory
$dh = opendir($dir) or die("Unable to open $dir");

// Parse the directory listing
// and display this contents
while ($file = readdir($dh))
{
// Do not include the current directory
if ($file != "." && $file != "..")
{
// If the file is not a directory
// add it to the fileArray
if (!is_dir($file))
{
array_push($fileArray, "$file");
}

// If the file is a directory
// add ?nav=$file to the url
if (is_dir($file))
{
echo "
$file
";
}

// If the file is a file
// just link to it
if (is_file($file))
{
echo "$file a>
";
}
}
}

// Close the working directory
closedir($dh);

echo '

';
echo $nav;
echo '

';
echo $dir;
echo '

';
print $_SERVER['REQUEST_URI'];
?>

If you actually test this out, you will notice as I do that if you
change directories by appending ?nav=some_directory to your url, the
$nav and $dir variables *seem* to be properly updated but you will not
get a listing of the contents of the new directory... I'm stumped.

On Aug 6, 10:20 am, techu...@gmail.com wrote:
> I have a *very* simple script written that displays the directory
> listing of the current working directory, but I am having some
> difficulty when I try to change folders. Basically, I have my $dir
> variable set to this: --- $dir = getcwd() . "\\" . $nav; --- but for
> some reason the script does not actually display the contents of the
> directory if you change from the directory the script is located in.
>
> Here is my code if someone is willing to take a quick look to tell me
> where I am going wrong:
>
> >
> // Tell the script which directory to list
> $nav = $_GET['nav'];
> $dir = getcwd() . "\\" . $nav;
>
> // Open the directory
> $dh = opendir($dir) or die("Unable to open $dir");
>
> // Parse the directory listing
> // and display this contents
> while ($file = readdir($dh))
> {
> // Do not include the current directory
> if ($file != "." && $file != "..")
> {
> // If the file is not a directory
> // add it to the fileArray
> if (!is_dir($file))
> {
> array_push($fileArray, "$file");
> }
>
> // If the file is a directory
> // add ?nav=$file to the url
> if (is_dir($file))
> {
> echo "
> $file
";
> }
>
> // If the file is a file
> // just link to it
> if (is_file($file))
> {
> echo "$file > a>
";
> }
> }
>
> }
>
> // Close the working directory
> closedir($dh);
>
> echo '

';
> echo $nav;
> echo '

';
> echo $dir;
> echo '

';
> print $_SERVER['REQUEST_URI'];
> ?>
>
> If you actually test this out, you will notice as I do that if you
> change directories by appending ?nav=some_directory to your url, the
> $nav and $dir variables *seem* to be properly updated but you will not
> get a listing of the contents of the new directory... I'm stumped.

Oh, something I forgot to include: I also tried setting the $dir
variable to: $dir = getcwd() . "/" . $nav; but that seemed to make no
difference.

On Aug 6, 11:14 am, Matt Madrid wrote:
> techu...@gmail.com wrote:
>
> [snip]
>
>
>
> > >
> > // Tell the script which directory to list
> > $nav = $_GET['nav'];
> > $dir = getcwd() . "\\" . $nav;
>
> I gather from the "\\" that you are on a windows platform. No need
> to use "\\", a "/" will do and make your code more portable.
>
> [snip]
>
> > if (!is_dir($file))
>
> Here's your problem. You need to prepend the dirname to the filename
> since you are not "in" the directory in question.
>
> if (!is_dir("$dir/$file"))
>
> The same goes for your other calls to is_dir() and is_file()
>
> Matt M.

Aha! Thank you sooo much. I knew it would be something very simple
that I was just overlooking after staring at it too long.

Also, just fyi, in order to navigate more than one directory deep, I
had to change

// If the file is a directory
// add ?nav=$file to the url
if (is_dir($file))
{
echo "$file a>
";
}

to

// If the file is a directory
// add ?nav=$file to the url
if (is_dir("$dir/$file"))
{
echo "
$file
";
}

Re: Custom directory listing and $_GET question

On Aug 6, 11:38 am, techu...@gmail.com wrote:
> On Aug 6, 11:14 am, Matt Madrid wrote:
>
>
>
> > techu...@gmail.com wrote:
>
> > [snip]
>
> > > >
> > > // Tell the script which directory to list
> > > $nav = $_GET['nav'];
> > > $dir = getcwd() . "\\" . $nav;
>
> > I gather from the "\\" that you are on a windows platform. No need
> > to use "\\", a "/" will do and make your code more portable.
>
> > [snip]
>
> > > if (!is_dir($file))
>
> > Here's your problem. You need to prepend the dirname to the filename
> > since you are not "in" the directory in question.
>
> > if (!is_dir("$dir/$file"))
>
> > The same goes for your other calls to is_dir() and is_file()
>
> > Matt M.
>
> Aha! Thank you sooo much. I knew it would be something very simple
> that I was just overlooking after staring at it too long.
>
> Also, just fyi, in order to navigate more than one directory deep, I
> had to change
>
> // If the file is a directory
> // add ?nav=$file to the url
> if (is_dir($file))
> {
> echo "$file > a>
";
> }
>
> to
>
> // If the file is a directory
> // add ?nav=$file to the url
> if (is_dir("$dir/$file"))
> {
> echo "
> $file
";
> }

Now, I realize this is NOT a secure directory listing, because someone
could simply append "/.." to the url and keep moving up directories
even if they are out of the realm of the web server. Is there an
*easy* way to "lock" this script from going up a directory from where
the script is stored? In other words, I want users to be able to
navigate DOWN in whatever directories may exist, but not UP *past* the
directory in which the script is located.

Re: Custom directory listing and $_GET question

techusky@gmail.com wrote:
>
> Now, I realize this is NOT a secure directory listing, because someone
> could simply append "/.." to the url and keep moving up directories
> even if they are out of the realm of the web server. Is there an
> *easy* way to "lock" this script from going up a directory from where
> the script is stored? In other words, I want users to be able to
> navigate DOWN in whatever directories may exist, but not UP *past* the
> directory in which the script is located.
>

A simple way to check would be to replace any "." (and associated HTML
codes so it can't be 'fooled') in the URL before parsing so that they
have no effect. I believe this would be secure; anyone see any holes in
the logic?

- Evan Charlton

Re: Custom directory listing and $_GET question

On Aug 6, 12:53 pm, Evan Charlton wrote:
> techu...@gmail.com wrote:
>
> > Now, I realize this is NOT a secure directory listing, because someone
> > could simply append "/.." to the url and keep moving up directories
> > even if they are out of the realm of the web server. Is there an
> > *easy* way to "lock" this script from going up a directory from where
> > the script is stored? In other words, I want users to be able to
> > navigate DOWN in whatever directories may exist, but not UP *past* the
> > directory in which the script is located.
>
> A simple way to check would be to replace any "." (and associated HTML
> codes so it can't be 'fooled') in the URL before parsing so that they
> have no effect. I believe this would be secure; anyone see any holes in
> the logic?
>
> - Evan Charlton

I discovered the "stristr()" function, and it seems to do the trick.
So here is what I have that seems to work great:

// Do not allow the use of ?nav=..
$badKarma = '..';
if (stristr($nav, $badKarma))
{
echo 'May you receive bad karma for trying to go where you should
not.';
break;
}