At 04:53 AM 12/21/2001, Ulf Harnhammar wrote:
>On Thu, 20 Dec 2001, eNowak IGF remote wrote:
>
> > // only read file which is under the secure sewse path -- hence
> filtering ".."
> > if ((argv[i]).indexOf("..") != -1)
> > { return "Cannot read from insecure path."; }
>
>This fix does not seem to allow people to use filenames that include the
>characters ".." (i e, "my_document..ulf.txt" is not valid). It is probably
>better to parse the file name, so you know what parts are directories and
>what part is the file name, and then check the directory parts for the
>exact strings "." and "..".
Better still, and more likely to catch things that you're not expecting, is
to construct the full absolute path of the target file, and compare _that_,
not the user's input, to a validation rule set.
Your own solution, for instance, doesn't catch certain OS's choice to use
"..." to represent "two directories up", nor does it catch "//" in the
middle of a path. Better to expand to a full path, and then do the comparison.
Alun.
~~~~
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alunat_private
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 11:37:19 PST