tags:

views:

257

answers:

3
+1  Q: 

Safe version of Path.Combine

I have a rootPath that I trust and a relativePath that I don't. I want to combine them in such a way that I can be sure that the result is under rootPath and that the user can't use .. to get back past the starting point. I do want the relative path to allow things like: hello\..\world == world

A: 

One thing you can do is to count the number of backslashes (\) and double-dots (..), and make sure that the number of double-dots is smaller than the number of backslashes. In order to go above the rootPath in your folder structure, you'll need at least as many backslashes as double dots - thus, if you only allow relativePaths with at least one more backslash, you should be safe.

Tomas Lycken  2009-04-29 23:26:10
but\..\..\this\goes\who\knowns\where
BCS  2009-04-29 23:29:59
I think you end up needing to keep a running count
BCS  2009-04-29 23:30:49
+4  A: 

System.IO.Path.GetFullPath?

To expand: use Path.Combine, then call GetFullPath on the result and check that that result starts with rootPath.

It won't protect you against hardlinks, but it should catch simple things like double-dots.

the above as code:

string Resolve(string fileName)
{
    string root = FileRoot();
    string ret = Path.GetFullPath(Path.Combine(root, fileName));
    if (ret.StartsWith(root.TrimEnd(Path.DirectorySeparatorChar) + Path.DirectorySeparatorChar)) return ret;
    throw new ArgumentException("path resolved to out of accesable directroy");
}
technophile  2009-04-29 23:31:06
I like it :D
BCS  2009-04-29 23:33:50
However, if root does not end with \, it's still possible to play a limited trick -- end up in a different directory, a sibling of the root one, which starts with that as a prefix. E.g., root may be \zip\zop, relative path ..\zopper\zup, you end up in \zip\zopper\zup, outside of the tree rooted in \zip\zop but still satisfying the StartsWith test. Small risk, but not zero.
Alex Martelli  2009-04-29 23:48:31
Nice corner case ... going to add that to the code.
Daniel Brückner  2009-04-29 23:52:47
You can mitigate that attack by using .StartsWith(root.TrimEnd('\\') + '\\'), to ensure the correct path is used.
technophile  2009-04-29 23:52:50
+2  A: 

You could just call Path.GetFullPath() and check if it starts with your trusted rootPath. If you tend to paranoia, check also that rootPath is rooted.

public Boolean IsPathSafe(String rootPath, String relativePath)
{
  return rootPath.EndsWith(Path.DirectorySeparatorChar.ToString()) &&
    Path.IsPathRooted(rootPath) &&
    Patch.Combine(rootPath, relativePath).GetFullPath().StartsWith(rootPath);
}

For an explaination of the first test see Alex Martelli's comment on technophile's answer.

Daniel Brückner  2009-04-29 23:33:15

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?