Prevent PHP from opening documents above documentroot

Question

Hope someone can shed some light on this.

My php script can currently open files above the document root by using relative paths such as require_once(../../passowrds.php);

1)is there anyway to enforce absolute paths open above the document root?

2)what is the safest method of accessing files above the document root?

Thanks in advance

Answer 1

Safest method for require file in write $a = 'samplevalue'; and top of the which passowrds.php in write; if($a != 'samplevalue'){ header('Location: http://www.example.com/'); }

passowrds.php :

if($r_key != 'a23b24c25samplekey' or empty($r_key)){ header('Location: http://www.example.com/'); exit(); } // r_key not equal a23b24c25samplekey or empty forward main page
bla.. bla.. bla..

sample.php :

  $r_key = 'a23b24c25samplekey';
  require_once(../../passowrds.php);

and that can be used for relative path;

   $path = $_SERVER['DOCUMENT_ROOT'];
   $path .= "/yourfolder/passowrwds.php";
   require_once($path);

require_once(../../passowrds.php); safest than $path = $_SERVER['DOCUMENT_ROOT']; $path .= "/yourfolder/passowrwds.php"; require_once($path);

Answer 2

is there anyway to enforce absolute paths open above the document root?

I interpret this to mean "is it possible to prevent above-docroot-access with relative paths?". The answer is: Not that I know of, short of manually validating the path string (look for excessive ".." etc.)

what is the safest method of accessing files above the document root?

It depends on your definition of "safest"; what is your scenario where this could ever cause a problem?

However, a good start would be to validate any user input that controls this, rather that simply doing e.g. require_once($_GET["file"]).