| Thread overview | |||||||
|---|---|---|---|---|---|---|---|
|
February 09, 2014 Check if path is child of directory | ||||
|---|---|---|---|---|
| ||||
 | I'm building a webserver using the Vibe.d library. Whenever the user requests a page inside my /images/ folder; I want them to output this file. Because there will be a lot of images present, and because these are likely to change in the future, I would like to just get the URL from the request, and automatically output the file. I am aware though, that users could perform tricks like "images/../../../../sensitive_file_here". In order to prevent that I would like a solid way of making sure the entered path is actually inside the images directory. How do I do this? | |||
Permalink
ReplyFebruary 09, 2014 Re: Check if path is child of directory | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Jeroen Bollen | On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
> I'm building a webserver using the Vibe.d library. Whenever the user requests a page inside my /images/ folder; I want them to output this file.
>
> Because there will be a lot of images present, and because these are likely to change in the future, I would like to just get the URL from the request, and automatically output the file.
>
> I am aware though, that users could perform tricks like "images/../../../../sensitive_file_here". In order to prevent that I would like a solid way of making sure the entered path is actually inside the images directory.
>
> How do I do this?
I just figured out vibe.d handles this automatically, but I'd still like to know of a secure way to do this, for future reference.
| |||
February 10, 2014 Re: Check if path is child of directory | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Jeroen Bollen | On Sunday, February 09, 2014 21:09:51 Jeroen Bollen wrote:
> On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
> > I'm building a webserver using the Vibe.d library. Whenever the user requests a page inside my /images/ folder; I want them to output this file.
> >
> > Because there will be a lot of images present, and because these are likely to change in the future, I would like to just get the URL from the request, and automatically output the file.
> >
> > I am aware though, that users could perform tricks like "images/../../../../sensitive_file_here". In order to prevent that I would like a solid way of making sure the entered path is actually inside the images directory.
> >
> > How do I do this?
>
> I just figured out vibe.d handles this automatically, but I'd still like to know of a secure way to do this, for future reference.
std.path.absolutePath will take care of any ..'s at the beginning (which doesn't quite seem to be your problem here, but it might be useful depending on what you're doing). However, what you probably want here is std.path.buildNormalizedPath. Like buildPath, it can be used to construct a path from multiple strings, but if you give it only one string, it'll still work and will normalize it (it just won't have anything else to append to it like it would if you were really building a path).
- Jonathan M Davis
| |||
February 10, 2014 Re: Check if path is child of directory | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Jeroen Bollen | On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
> I'm building a webserver using the Vibe.d library. Whenever the user requests a page inside my /images/ folder; I want them to output this file.
>
> Because there will be a lot of images present, and because these are likely to change in the future, I would like to just get the URL from the request, and automatically output the file.
>
> I am aware though, that users could perform tricks like "images/../../../../sensitive_file_here". In order to prevent that I would like a solid way of making sure the entered path is actually inside the images directory.
>
> How do I do this?
You can remove the directory navigation with std.path.buildNormalizedPath, not sure the behavior on a relative path, but you could call std.path.absolutePath first.
| |||
February 10, 2014 Re: Check if path is child of directory | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Jesse Phillips | On Monday, 10 February 2014 at 00:44:23 UTC, Jesse Phillips wrote:
> On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
>> I'm building a webserver using the Vibe.d library. Whenever the user requests a page inside my /images/ folder; I want them to output this file.
>>
>> Because there will be a lot of images present, and because these are likely to change in the future, I would like to just get the URL from the request, and automatically output the file.
>>
>> I am aware though, that users could perform tricks like "images/../../../../sensitive_file_here". In order to prevent that I would like a solid way of making sure the entered path is actually inside the images directory.
>>
>> How do I do this?
>
> You can remove the directory navigation with std.path.buildNormalizedPath, not sure the behavior on a relative path, but you could call std.path.absolutePath first.
Would that be relative to the working directory? Would "./../" still work?
| |||
Copyright © 1999-2021 by the D Language Foundation