Nice. The code was already checking for '..' on the path, but the condition was ... | Hacker News

Hacker Timesnew | past | comments | ask | show | jobs | submit

		eneko on Nov 5, 2010 \| parent \| context \| favorite \| on: Interactive Javascript Terminal as a personal webs... Nice. The code was already checking for '..' on the path, but the condition was erroneous. Fixed now.

toolate on Nov 5, 2010 [–]

You might be better off getting the canonical path and then checking against a whitelist. E.g. `strpos(realpath($command_path), '/var/www/html/') === 0`.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact