I was bored today and instead of doing assignment work, I decided to look into some report bugs in ldir; this update has added a fair bit of code.
I have now improved the extremely simplistic anti-injection checks to be a bit more thorough, as it was actually stopping access to any .folders which meant it was stopping the ability to traverse up directories that you shouldn’t be able to but it was also restricting access to legitimate folders.
Initially I was going to just edit the way it handled folders but after I did this, you could still inject so I changed the improved code. The new folder handling means that the URL doesn’t have to have an prepending (is this a real word, if not is would be! I’m just not sure as firefox’s spell check goes wild with it) / so it looks much nicer.
The new improved anti-injection also allowed for some minor changes so people can display double dot files and folders i.e. ..folder/ which would be odd but highly possible. Inadvertently, it also allows ./ to be used in the variable f GET but this should be fine.
I’m not sure if it was my permissions or a bug in the PHP filesize() function as when ldir was inside a doubledot folder, it was giving an e_Warning that it couldn’t stat the file size, so due to this, I have suppressed an warning from it. I will follow this up when I get time but I think that is is a filesize() bug.
Anyway, visit the ldir page for the latest code and changelog.