There's even another thing why this won't necessarily work:
f) >$filename = $_SERVER['DOCUMENT_ROOT'] . preg_replace('{(\.\.|\\\\)}', '',
$matches[1]);
That means, that any file that would be pass-throughed successfully
is taken relatively to the DOCUMENT_ROOT...
So accessing a:
http://foo.bar/davical/caldav.php/images/foo.png
would result e.g. in the path
/srv/www/foor.bar/images/foo.png
The /davical/ would be missing or any other path, where the whole Davical is
but below.Again this might allow to read files that shouldn't be exposed. Of course one can repair could this with some trickery... and get the correct path. If this is done (again I suggest to remove all this).... than (e) above should be updated... to tell the users that they should really only add the full path to (likely) davical to the open_basedir. i.e. not /srv/www/foor.bar but /srv/www/foor.bar/images.... never allow more than necessary. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
