traversing directories with php?

Question

I have a path to a folder (e.g. /var/www/tester/assets/themes/default/css/).

a user can provide a relative path to the folder, so for example. layout/ie7.css would give the path of /var/www/tester/assets/themes/default/css/layout/ie7.css.

This works fine, however I want the users to be able to navigate up the directory tree as well.

so with the path to the css folder again if a user provides ../../cache/css/ie7.css I want the path to end up as /var/www/tester/assets/themes/default/cache/css/ie7.css.

I thought I could just pass them together to realpath() e.g:

$base = '/var/www/tester/assets/themes/default/css/';
$user_path = '../../cache/css/ie7.css';
$final_path = realpath($base.$user_path);

But that just returns false. How can I do this?

Answer 1

first of all the real path function also checks whether the given path exists... Are you sure your path exists???

/var/www/tester/assets/themes/default/css/../../cache/css/ie7.css 

would not end up in

/var/www/tester/assets/themes/default/cache/css/ie7.css 

as you suggest but it ends up in

/var/www/tester/assets/themes/cache/css/ie7.css 

Does this folder with the given file exist?

Answer 2

Just don't. There is nothing wrong with a path like /var/www/tester/assets/themes/default/css/../../cache/css/ie7.css. It works on all OSes and browsers.

Note: are you aware that you might be creating a security risk here? What if users provide ../../../../../../../etc/passwd ?