Re: Cleaning up directory paths.

Maybe this would be off the mark relative to what you really want to do, but... Rather than trying to filter user input to assure acceptable directory paths, you could specify in advance what the acceptable paths are (e.g. using the output of "find your_web_root -type d" on the command line), and offer those as a list to choose from. If the list were in a side frame, then the navigation ought to be tolerably effective.

While I haven't tried it myself, I'm sure there would be fairly simple means available to emulate the sort of index that shows "top-level" items, with little "+" icons next to them when they contain sub-levels, and clicking on the icon expands the choices on the next level down, while clicking the name takes you to the specified item (i.e. lists the contents of that directory).

Comment on Re: Cleaning up directory paths.

Replies are listed 'Best First'.
Re: Re: Cleaning up directory paths. by SavannahLion (Pilgrim) on Nov 06, 2003 at 05:32 UTC
I suppose that would work in a fashion. But even if I were to present a list with a fixed list of paths, I would still end up needing to clean up and untaint that incoming variable anyways. The only way I can think of, off the top of my head, to avoid cleaning the path is to assign each item in the list a number and compare that to an internal list of ensure that the path information is altered. But I feel that that is rather unwieldy. :-\ Nice idea though. Is it fair to stick a link to my site here? Thanks for you patience.	[reply]
Re: Re: Re: Cleaning up directory paths. by graff (Chancellor) on Nov 06, 2003 at 05:43 UTC
But even if I were to present a list with a fixed list of paths, I would still end up needing to clean up and untaint that incoming variable anyways. Right. Good point. (Sorry I didn't think of that at first... did I mention that web programming is something I do relatively seldom in my job?) So, if you have the list that you present on people's browsers, and you get back a parameter string, rather than trying to untaint the parameter string, you just need to check whether it's an exact match to a particular string in your list of allowable paths. And this would be easy if you just store the allowed path list as keys of a hash. Once you establish that it does match, you don't really need the parameter string after that (no need to untaint it) -- just use the matched item from your list (which the script reads directly from the server). And if there was no match, you just send whatever alternative feedback you deem appropriate...	[reply]