I want to check that a file system path is valid and safe to use relative to another path. So I want to know if there are any other special characters like /../ and /./ which might cause a path to actually point somewhere else.
If that is all I have to worry about then a quick replace of those chars followed by something like this to check for any other bad filesystem chars should work right?
[^a-z0-9\.\-_]
(On windows stuff like C:\ would also have to be allowed)
The use case is that I have a folder which site administrators can create directories in and I want to FORCE them to only create directories in that folder. In other words, no being sneaky with ...path/uploads/../../../var/otherfolder/ if you know what I mean 😉
For resolving paths,
., and.., (and in most cases,//for Unix and\\for Windows) are the main things you really need to worry about in terms of resolving paths. From RFC 3986, this is the algorithm for resolving relative paths in URIs. For the most part, it also applies to file system paths.An algorithm,
remove_dot_segments:components and the output buffer is initialized to the empty
string.
"../"or"./",then remove that prefix from the input buffer; otherwise,
"/./"or"/.",where
"."is a complete path segment, then replace thatprefix with
"/"in the input buffer; otherwise,"/../"or"/..",where
".."is a complete path segment, then replace thatprefix with
"/"in the input buffer and remove the lastsegment and its preceding
"/"(if any) from the outputbuffer; otherwise,
"."or"..", then removethat from the input buffer; otherwise,
the output buffer, including the initial
"/"character (ifany) and any subsequent characters up to, but not including,
the next
"/"character or the end of the input buffer.remove_dot_segments.Example run:
Don’t forget that it’s possible to do things like specify more
".."segments than there are parent directories. So if you’re trying to resolve a path, you could end up trying to resolve beyond/, or in the case of Windows,C:\.