Thread overview | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
December 06, 2016 Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
https://aberba.github.io/2016/form-upload-in-vibe-d/ |
December 07, 2016 Re: Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
Posted in reply to aberba | On Tuesday, 6 December 2016 at 22:28:04 UTC, aberba wrote:
> https://aberba.github.io/2016/form-upload-in-vibe-d/
Thanks for the tutorial! Please keep them coming.
|
December 08, 2016 Re: Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
Posted in reply to aberba | Am 06.12.2016 um 23:28 schrieb aberba: > https://aberba.github.io/2016/form-upload-in-vibe-d/ Nice article, I'll add this to the tutorials section [1]. Two additional suggestions: - It's probably a good idea to mention that HTTPServerSettings.maxRequestSize is 2 MiB by default and should be increased if larger files are expected - The last snippet with "static this()" (using "shared static this" would be better to avoid issues in multi-threaded applications) doesn't contain the /upload route, but it's probably better to have it either there or later within the text, as it may not be obvious how to register that exactly [1]: https://vibed.org/tutorials |
December 08, 2016 Re: Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
Posted in reply to Sönke Ludwig | On Thursday, 8 December 2016 at 00:44:19 UTC, Sönke Ludwig wrote:
> Am 06.12.2016 um 23:28 schrieb aberba:
>> https://aberba.github.io/2016/form-upload-in-vibe-d/
>
> Nice article, I'll add this to the tutorials section [1]. Two additional suggestions:
>
> - It's probably a good idea to mention that HTTPServerSettings.maxRequestSize is 2 MiB by default and should be increased if larger files are expected
>
> - The last snippet with "static this()" (using "shared static this" would be better to avoid issues in multi-threaded applications) doesn't contain the /upload route, but it's probably better to have it either there or later within the text, as it may not be obvious how to register that exactly
>
> [1]: https://vibed.org/tutorials
Done! Thanks for the feedback.
|
December 08, 2016 Re: Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
Posted in reply to aberba | On Tuesday, 6 December 2016 at 22:28:04 UTC, aberba wrote: > https://aberba.github.io/2016/form-upload-in-vibe-d/u Love the article! Please keep writing tutorials like this :-D. Feedback: 1. The upload function is (kind of) vulnerable against path traversal: moveFile(file.tempPath, Path("./public/uploads") ~ file.filename); If a file named "../SomeOtherFile.htm" is uploaded the server will hit this assert: https://github.com/rejectedsoftware/vibe.d/blob/master/core/vibe/core/path.d#L426 Denail of Service attack! When the application is compiled with the release flag the assert will be omitted and the path traversal will work. 2. It would be more beginner friendly if you also described how to add the upload function to the router. 3. Your github link on the left side is broken. Discovered this when I was looking for a zip with the finished code. |
December 10, 2016 Re: Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
Posted in reply to NVolcz | On Thursday, 8 December 2016 at 20:48:52 UTC, NVolcz wrote:
> On Tuesday, 6 December 2016 at 22:28:04 UTC, aberba wrote:
>> [...]
>
> Love the article! Please keep writing tutorials like this :-D.
>
> Feedback:
> 1.
> The upload function is (kind of) vulnerable against path traversal:
> moveFile(file.tempPath, Path("./public/uploads") ~ file.filename);
>
> [...]
Thanks for feedback. Will consider those points raised in thought. Will add more advanced stuff and security as time goes on.
|
December 11, 2016 Re: Tutorial: Form upload in vibe.d | ||||
---|---|---|---|---|
| ||||
Posted in reply to aberba | On Saturday, 10 December 2016 at 17:39:20 UTC, aberba wrote:
> On Thursday, 8 December 2016 at 20:48:52 UTC, NVolcz wrote:
>> On Tuesday, 6 December 2016 at 22:28:04 UTC, aberba wrote:
>>> [...]
>>
>> Love the article! Please keep writing tutorials like this :-D.
>>
>> Feedback:
>> 1.
>> The upload function is (kind of) vulnerable against path traversal:
>> moveFile(file.tempPath, Path("./public/uploads") ~ file.filename);
>>
>> [...]
>
> Thanks for feedback. Will consider those points raised in thought. Will add more advanced stuff and security as time goes on.
Please fix the security vulnerability for this tutorial as well in case someone copy pastes the code.
|
Copyright © 1999-2021 by the D Language Foundation