tags:

views:

48

answers:

4
Q: 

Securely enforcing user-inputted file paths within subdirectories

I know the solid security recommendation of avoiding accepting user input that you then use to choose a path to read/write a file. However, assuming you have a base directory you want to keep within (such as the root of an ftp folder), how do you best ensure that a given user input keeps us within that folder?

For instance,

Path.Combine(_myRootFolder, _myUserInput)

could still take us outside of _myRootFolder. And this could also be dodgy

newPath = Path.Combine(_myRootFolder, _myUserInput) if (newPath.StartsWith(_myRootFolder)) ...

given something like "/back/to/myrootfolder/../../and/out/again" from the user. What are the strategies for this? Am I missing a blindingly obvious .NET method I can use?

Thanks!

A: 

You can parse input string and cut ../ with regex.

x2  2009-08-24 10:00:48
What I'm hoping to avoid is relying on my own knowledge of path shortcuts though. Is "../" definitely the only way of moving up a path? Can you do URL type tricks of encoding in weird unicode characters for example.... I'd rather do a check after the file path has been fully unescaped, if that's possible?
James Crowley  2009-08-24 10:07:56
A: 

Well, in your example of an FTP server, you should set the users home-directory, and permissions appropriately, such that they can't navigate out of the folder. Any reason you can't do that?

Noon Silk  2009-08-24 10:06:32
+1  A: 

Within ASP.NET applications you can use Server.MapPath(filename) which will throw an exception if the path generated goes outside of your application root.

If all you want is a safe file name and you just want all files in there it becomes simpler;

    FileInfo file = new FileInfo(
        Server.MapPath(
            Path.Combine(@"c:\example\mydir", filename)));

If you're outside of ASP.NET like you indicate then you could use Path.GetFullPath.

string potentalPath = Path.Combine(@"c:\myroot\", fileName);
if (Path.GetFullPath(potentialPath) ! = potentialPath)
    // Potential path transversal

Or you call Path.GetFullPath and then check the start of it matches the directory you want locked to.

blowdart  2009-08-24 10:14:29
Yeah, that's the sort of functionality I want... except I'm unfortunately in a Windows Service that is batch uploading a bunch of files from one place to another.
James Crowley  2009-08-24 10:28:54
Added another approach then
blowdart  2009-08-24 10:34:12
Cool - thanks - GetFullPath looks like the way to go :)
James Crowley  2009-08-24 10:36:30
+1  A: 

I believe Path.FullPath will do what you need (I didn't test this though):

string newPath = Path.Combine(_myRootFolder, _myUserInput);
string newPath = Path.FullPath(newPath);
if (newPath.StartsWith(_myRootFolder)) ...
Joe  2009-08-24 10:26:18

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?