ansaurus

Question

C#: How to determine whether an relative path points outside an given path.

Answer 1

+2 A:

Not very pretty but I think it should work.

if (System.IO.Path.GetFullPath(path).IndexOf(projectPath, StringComparison.CurrentCultureIgnoreCase) == -1)
{
  // naughty
}

Edited to be a good global citizen.

ho1 2010-06-28 10:51:52

**Do not** implement case-insensitive string comparisons with ToUpper/ToLower. It fails the Turkey Test. Use one of the String.IndexOf overloads with a StringComparison parameter.

dtb 2010-06-28 10:54:23

+1 for naughty :D

Matt Ellen 2010-06-28 10:54:25

also use Path.GetDirectoryName(projectPath) instead of projectPath

Orsol 2010-06-28 10:56:54

For those not being familiar with what the Turkey Test is: http://www.codinghorror.com/blog/2008/03/whats-wrong-with-turkey.html

0xA3 2010-06-28 11:15:59

@dtb: Yes, too used to UK only apps where I never have to worry about that.

ho1 2010-06-28 11:23:28

@Orsol: I meant projectPath as the path to the directory rather than the path to the actual project file, maybe should have been clearer.

ho1 2010-06-28 11:24:31

Answer 2

+4 A:

You could try using the following extension method:

public static bool IsChildOf(this string path, string parentPath)
{
    return Path.GetFullPath(path).StartsWith(Path.GetFullPath(parentPath),
           StringComparison.InvariantCultureIgnoreCase);
}

Ed Courtenay 2010-06-28 11:00:44

This seems the best solution for me. Works fine, thanks.

Michael 2010-06-28 11:24:48

This solution has one problem as further tests has showed: When the parent path is somethin like: "C:\dir1\dir2\test" and the path is something like "C:\dir1\dir2\test\..\test.abc" then GetFullPath returns "C:\dir1\dir2\test.abc" which should return false because the file is one level above the parentPath. But it returns true, because of StartsWith...

Michael 2010-06-28 12:55:20

@Michael: After you've converted the it to an absolute path, use `Path.GetDirectoryName` to only get the directory part of the file you're testing.

ho1 2010-06-28 13:00:00

I had changed this already, it was just meant as informations for other readers. Additionally there are more things to check in this scenario to make it really secure, but that would be out of scope of this question.

Michael 2010-06-28 13:10:06

Answer 3

+1 A:

Windows has posix symlinks: ln -s c:\windows\system32\mshtml.dll c:\projects\project.xyz\innocent.txt. When your program opens c:\projects\project.xyz\innocent.txt you get c:\windows\system32\mshtml.dll. Does System.IO.Path.GetFullPath() work here?

POSIX also supports hardlinks. A file can have zero (when deleted), one, two, ten, one hundred filenames. And all are "The Filename", none more correct or less correct than any other.

Windows supports mounting folders into folders. Again, all names are correct.

You can solve this with filesystem permissions: Create a new user for your application. Give that user permissions to your project path. Do not give that user (or Everyone, or any groups the user is a member of) privileges to anything else in any filesystem. Let Microsoft's kernel team solve your problem for you.

sarnold 2010-06-28 11:15:32

Good to know, but in our case the can have multiple projects in different locations. So it would be neccessary that the application would set that rights for that special user for each project. This would require that the application would run with administration privileges, which is'nt a good solution.

Michael 2010-06-29 04:19:49

ansaurus

tags:

views:

answers:

C#: How to determine whether an relative path points outside an given path.

related questions