Do browsers evaluate URL path patterns like ../?-CodePudding

I have a php site with a web root directory /var/www/html/limesurvey/. Let's say this maps to the URL https://mylimesurveysite.com/.

The default runtimePath where logs are saved is /var/www/html/limesurvey/tmp/runtime/. If I wanted to download a log file, I could visit the URL https://mylimesurveysite.com/tmp/runtime/application.log and my browser would automatically download the log file. I've tested this.

If I set the runtimePath to /var/limesurvey_runtime/, are my log files in this directory still accessible to the internet somehow?

I tried to visit https://mylimesurveysite.com/../../../limesurvey_runtime/application.log and it doesn't seem like the log file can be accessed this way. So it seems URLs aren't evaluated like programming language paths.

CodePudding user response：

You could try creating a php file in your "public_html" or root web directory that reads that log file. For example in the PHP file you could say:

readfile("/var/www/html/limesurvey/tmp/runtime/application.log");

CodePudding user response：

TLDR; Browsers and webservers work together to try to ensure that only designated resources in the web root are accessible. It would be a major security violation if a web client could access arbitrary files on the server.

First, the browser automatically canonicalizes pathnames in URLs. This means that any XXX/.. pairs are automatically removed, so if you have a URL with /a/b/../c/d it's converted to /a/c/d. Next, any leading ../ are removed, so the URL https://mylimesurveysite.com/../../../limesurvey_runtime/application.log is converted to https://mylimesurveysite.com/limesurvey_runtime/application.log.

But we can't depend on browsers for security, because hackers can bypass browsers and write scripts that send arbitrary paths to the server. So servers are normally configured to block any access outside the defined web root directory. There's also optional settings to allow accessing directories in user directories, typically with paths beginning with ~username/; this is typically mapped by the server to something like /home/username/public_html/.

In either case, any ../ in the path that would go outside the web root or public_html directory are prohibited, and should result in a 404 Not found error.

If you want to allow access to something outside the web root, the usual way to do it is with a script that fetches files after validating that it's allowed. You may also be able to use symbolic links in the web root that point outside, although this may also be disabled in webserver configurations.