Den må ikke gå ud af hovedmappen

Hej.

Jeg har downloadet det her system på nettet. Hvordan kan jeg lave sådan at man ikke kan gå ud af "hovedmappen". Lad os kalde den /www/test/

Koden som den er nu kan man køre: files.php?folder=/test/test/../../../
og så kommer man ud af sin "hovedmappe", og kan nu rette i filer der ikke er tilladt.

<?php
session_start();

    if(isset($_GET['folder'])){
        $folder = "/www/test/" . $_GET['folder'] . "/";
        // $folder2 = $_GET['folder'] . "/";
    }else{
        $folder = "/www/test/";
    }

    echo "<html><head><title></title><head><body>";
    echo "<form method='post' name='delForm'><input type='hidden' name='delFile'><input type='hidden' name='show'></form>";
    echo "<script language='javascript'>
      function confirmDel(filename){
          if(confirm('Do you want to delete '+filename+'?')){
            document.forms['delForm'].delFile.value= filename;
            document.forms['delForm'].submit();
        }
      }
      function showFile(filename){
              file = encodeURI(filename);
            window.open('show.php?show='+file);
      }
      </script>";

    if(isset($_POST['UPLOAD_URL'])){
        $uploaddir = $_POST['UPLOAD_URL'];
        $uploadfile = $uploaddir . $_FILES['userfile']['name'];

        if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
            echo  "<script language='javascript'>alert(\"File is valid, and was successfully uploaded.\")</script>";
        } else {
            print "<script language='javascript'>alert(\"Possible file upload attack!  File was not uploaded.\")</script>";
        }
    }
    if(isset($_POST['delFile'])){
        $del = $_POST['delFile'];
        if(is_dir($folder.$del)){
            if(!rmdir($folder.$del)){
                echo "<script language='javascript'>alert(\"Could not delete $del. \\n Make sure folder is empty.\");</script>";
            }
        }else{
            if(!unlink($folder.$del)){
                echo "<script language='javascript'>alert(\"Could not delete $del\");</script>";
            }
        }
    }
    if(isset($_POST['dir'])){
        mkdir($folder.$_POST['dir']);

    }
    if(isset($_POST['fileName'])){
        $newFile = $_POST['fileName'];
        $fh = fopen($folder.$newFile, "w");
        if(fwrite($fh, "")===false){
            echo "<script language='javascript'>   
            alert('$newFile could not be created');
            </script>";
        }
        fclose($fh);
    }

    echo "<hr>";
    if($folder != "../"){
        $parent = substr($folder2, 0, (strrpos(substr($folder2, 0, (strlen($folder2)-1)), "/")+1));

        echo "<button onclick='location.replace(\"files.php?folder=$parent\")'>Parent folder</button><br><hr>";
    }

    $list = make_file_tree($folder);
    $dirlist = $list['dirs'];
    $filelist = $list['files'];
    echo "Directories:<br>";
    echo "<table width = '400'>";
    for($i=0;$i<count($dirlist); $i++){
        echo "<tr><td><a href='files.php?folder=$folder2$dirlist[$i]'>$dirlist[$i]</a></td>";
        echo "<td width='25'><button onclick='confirmDel(\"".$dirlist[$i]."\")'>Delete</button></td></tr>";
    }
    echo "</table><hr>";
        echo "<form name='newDir' method='POST'>Create new directory:<input type='text' name='dir'><input type='submit' value='Create'></form><hr>";

    while ($typelist = current($filelist)) {

        $key = key($filelist);
        echo "<b>Files of type: $key</b><br>";
        echo "<table width = '400'>";
        for($j=0; $j<count($typelist);$j++){

if($typelist[$j] == "index.php") {
}else{

            echo "<tr><td width='90%'>$typelist[$j]</td>";
            if($key == "php"|| $key == "html" || $key == "css" || $key == "htm" || $key == "txt"){
                echo "<td width='25'><button onclick='showFile(\"".$folder.$typelist[$j]."\")'>Edit</button></td>";
            }

            echo "<td width='25'><button onclick='window.open(\"".$folder.$typelist[$j]."\")'>Show</button></td>";
            echo "<td width='25'><button onclick='confirmDel(\"".$typelist[$j]."\")'>Delete</button></td></tr>";
        }
}
        echo "</table><hr>";
        next($filelist);
    }
    echo "<form name='newFile' method='POST'>Create new file:<input type='text' name='fileName'><input type='submit' value='Create'></form><hr>";
    echo "<form enctype=\"multipart/form-data\" method=\"post\">
<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"500000\" />
<input type=\"hidden\" name=\"UPLOAD_URL\" value=\"".$folder."\" />
Upload file: <input name=\"userfile\" type=\"file\" />
<input type=\"submit\" value=\"Upload\" />
</form>";


    echo "</body></html>";

/*testestetstets*/
function make_file_tree($path){ //where $path is your source dir.
$handle=opendir($path);
while($a=readdir($handle)){
    if(!preg_match('/^\./',$a)){
        $full_path="$path$a";
        if(is_dir($full_path)){
            $dirs[]="$a";

        }else if(is_file($full_path) && $a != "temp.txt"){
            $ext = substr($a, (strrpos($a, ".")+1));
            $files[$ext][]="$a";
        }

    }
}
closedir($handle);
$list['dirs'] = $dirs;
$list['files'] = $files;
return $list;
}
?>