Procedural File: ajax_file_browser_inc.php

version:	$Header$ Copyright (c) 2008 bitweaver.org All Rights Reserved. See below for details and a complete list of authors. Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See http://www.gnu.org/copyleft/lesser.html for details
filesource:	Source Code for this file

require_once('setup_inc.php') [line 38]
Quick guide to this file: $_REQUEST['ajax_path_conf'] is the kernel configuration name that contains the absolute path to the directory where the files are.

Safety first: This method was chosen to provide a measure of security since we never pass in an absolute path via the URL this way. Another safety measure is provided that the configuration value set in $gBitSystem->mConfig['$_REQUEST['ajax_path_conf']] is used as 'jail'. Paths outside this 'jail' will be ignored including ../../ or symbolic links. Evil extensions as defined in EVIL_EXTENSION_PATTERN will be ignored as are [dot] files e.g.: .private.txt

e.g.: /home/ftp/public/ is the 'jail' /home/ftp/public/ftp -> /home/ftp/ is a symbolic link that points outside the 'jail' and will therefore be ignored completely. Also makes it impossible to import stuff like /home/ftp/public/../../../../../etc/passwd

You can define ajax_path_conf in two places with different effects:

1. define the ajax_path_conf when you include the template: {include file="bitpackage:kernel/ajax_file_browser.tpl" ajax_path_conf=treasury_file_import_path} This will show a link to "Load Files" which will then load the file list when you click on the link.
2. If you provide $_REQUEST['ajax_path_conf'] when you include it from your php file, all files in the root directory will already be loaded. $_REQUEST['ajax_path_conf'] = 'treasury_file_import_path'; require_once( KERNEL_PKG_PATH.'ajax_file_browser.php' );

NOTE: when you process the imported files, make sure you use realpath() to check of files are really in your 'jail'.