tags:

views:

195

answers:

4
+1  Q: 

How do I make sure a file path is safe in C#?

I have an asp.net mvc app with a route that allows users to request files that are stored outside of the web application directory.

I'll simplify the scenario by just telling you that it's going to ultimately confine them to a safe directory to which they have full access.

For example:

If the user (whose ID is 100) requests:

http://mysite.com/Read/Image/Cool.png

then my app is going to append "Cool.png" to "C:\ImageRepository\Users\100\" and write those bytes to the response. The worker process has access to this path, but the anonymous user does not. I already have this working.

But will some malicious user be able to request something like:

http://mysite.com/Read/Image/..\101\Cool.png

and have it resolve to

"C:\ImageRepository\Customers\101\Cool.png"

(some other user's image?!)

Or something like that? Is there a way to make sure the path is clean, such that the user is constrained to their own directory?

+3  A: 

How about

var fileName = System.IO.Path.GetFileName(userFileName);
var targetPath = System.IO.Path.Combine(userDirectory, fileName);

That should ensure you get a simple filename only.

Tor Haugen  2009-11-18 01:10:12
I'm going to read about these methods right away and play around with them in Linqpad. I have a hunch this is the right direction.
Chris  2009-11-18 01:23:27
This throws exceptions whenever I mess with the input, so I think this is the way to go.
Chris  2009-11-18 02:12:16
A: 

Perhaps you should verify that the path starts with the user's directory path?

e.g. "C:\ImageRepository\Customers\100\"

You should also normalize the paths to uppercase letters when comparing them.

Zach Johnson  2009-11-18 01:10:17
So how about C:\ImageRepository\Customers\100\..\101\secretstuff.png?
DrJokepu  2009-11-18 01:12:29
He should first resolve the path to its most simple form, and then verify that the path is prefixed by the correct path.
Zach Johnson  2009-11-18 01:17:19
Ok, so maybe a combination of Tor's answer and your .StartsWith() suggestion?
Chris  2009-11-18 01:22:55
I know it's nitpicking, but "resolving to the most simple form" is not straightforward at all, given that NTFS supports junctions (hard links). All I'm saying I guess that this problem is a lot more complicated than it looks like at first glance.
DrJokepu  2009-11-18 01:50:42
A: 

The safest way, if it is an option (you are using windows auth), is to make it a non-issue by using Active Directory rights on the folders so it doesn't matter if the user attempts to access a directory that is not valid.

Absent that, store the files so that the path is abstracted from the user. That is, use whatever name the user provides as a lookup in a table that has the REAL path to the file.

Cannolocalization protection is tricky business and it is dangerous to try and outthink a potential attacker.

JohnFx  2009-11-18 01:15:38
Unfortunately this app is destined for the internets.
Chris  2009-11-18 01:22:20
Which means what, exactly?
JohnFx  2009-11-18 02:30:34
A: 

Using the Request.MapPath overload is one way to check this: 

try
{
  string mappedPath = Request.MapPath( inputPath.Text,                                  Request.ApplicationPath, false);
}
catch (HttpException)
{
  // do exception handling
}

Also you could explode the string and delimit it by slashes, and check the username match also.

Jeremy Morgan  2009-11-18 01:17:32

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?