Request: Allow to navigate to parent folders about ifm HOT 8 CLOSED

Well, in the past I had many concerns about operating in a higher level as the script root, because a potential attacker then could likely walk through the whole filesystem and even read files like /etc/passwd and things. I'll add this feature in the next release, but leave it disabled.

from ifm.

After thinking about this setting again - I would like to suggest the following: Instead of a general switch for allowing parent folders, I think the proper way for such a setting might be to let the user specify the root directory - i.e. where IFM should start with the file listing.

Example:

rootDir = "" .. start from the ifm.php location (default)
rootDir = "/" .. start from the server's root
rootDir = "/var/www/http/" .. start from a specific directory.

from ifm.

That is a good suggestion. I'm currently working on this.

from ifm.

I pushed a working version to the issue-26 branch. The root_dir option is currently empty, so you have to adjust it for your needs.

Could you test this and let me know if you find any issues? That would be nice.

Please note that this option has several implications:

• The direct links don't work certainly, if the files lay out of the document root. Use the download buttons instead.
• Note that zip archives of folders don't contain files and directories which the PHP user cannot read. This happens without any errors.
• If open_basedir is active, and the root_dir is inaccessible, ifm dies with an error.

from ifm.

Thank you - great feature! I found one issue when testing:

File Links (open file as URL) do not work

Setup:

• ifm is located in http://myhost.com/tools/ifm.php
• the above url would mean /var/www/myhost.com/tools/ifm.php on the server
• root_dir = "/var/www/"

Now I navigate in IFM to /var/www/myhost.com/ - and click on some text file. The file is not found, as IFM opens http://myhost.com/tools/textfile.txt instead of http://myhost.com/textfile.txt
The download button for the textfile still works well.

from ifm.

Yes, this is the case. I am not quite sure how to solve that, because I can't guess the DocumentRoot reliable due to aliases, rewrites and so on. Maybe I can add a client-side check which triggers the download instead of opening the link when clicking on a file outside the document root.

from ifm.

I added the check which works fine for me. Please let me know if you have any trouble with that.

from ifm.

Ok, I tested this feature in several environments, and think it can be merged. I'll do this during the day.

from ifm.