Why use realpath()?

Question

PHP's realpath() is well described in the manual, I'd just like to understand in which scenarios it is useful. Because it seems that my code works well enough with paths like ../../path so I'm not really sure where realpath() is useful or even necessary.

Answer 1

THE BAD NEWS IS

When you use a "dot-dot-slash" for your path you're in a warning state to be attacked using Path Traversal, This attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with "dot-dot-slash" (../) sequences and their variations, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses "../" sequences to move up to root directory, thus permitting navigation through the file system.

This attack can be executed with external malicious code injected on the path, like the Resource Injection attack. To perform this attack it’s not necessary to use a specific tool; attackers typically use a spider/crawler to detect all URLs available.

This attack is also known as "dot-dot-slash", "directory traversal", "directory climbing" and "backtracking".

you can check this over ..

AND, THE GOOD NEWS IS....

realpath() will let you convert any path that may contain relative information into an absolute path. You can then ensure that path is under a certain subdirectory that you want to allow access to.

For absolute paths such as in URLs your subdomain and protocol can be controlled. People that enter through an obscure subdomain will be funneled into the proper subdomain. You can hop back and forth between secure and non-secure as appropriate. And, using it can be configurable. Developers love things to be absolute.

You can design neat algorithms when using absolute URLs. URLs can be made configurable so that a URL can be updated site-wide with a single change in a single configuration file.

But if you look at this:

<a href=“index.php?q=”>index.php?q=</a>
<link src=“../.././../css/default.css” />

Are you not confused by that?

1. CONFUSING, How many dots are there? how many folders? Where is the file? Why isn't it working?
2. MAINTENANCE, If a file is accidentally moved resources quit loading, links send the user to the wrong pages, form data might be sent to the incorrect page. If a file NEEDS to be moved all the resources that are going to quit loading and all the links that are going to be incorrect need to be updated.
3. IT DOES NOT SCALE, when webpages become more complex and views start getting reused across multiple pages the relative links will be relative to the file that they were included into. If you have a navigation snippet of HTML that is going to be on every page then relative will be relative to a lot of different places. The first thing people realize when they start creating a template is that they need a way to manage the URLs.
4. COMPUTED - They are implemented by your browser (hopefully according to RFC). See chapter 5 in RFC3986.
5. OOPS!!! - Errors or typos can result in spider traps.

Sorry for my bad english... :)

Answer 2

In my experience I found realpath() useful for

1. Clarity

when displaying/logging/storing a full path instead of a relative one is more desiderable.

2. Safety

to ensure that a given file path is below (in the filesystem hierarchy) a "base" path, before doing something with that file (serving, editing, etc...)

Example:

$full_path = realpath( $relative_path );

if( $full_path !== false && strpos( $full_path, "/var/www/whatever/" ) === 0 )
{
    //...
}

---

A couple of things worth mentioning:

realpath() resolves symlinks.

realpath() returns FALSE if the file or directory doesn't exist.