In our app, we ask people to specify a file share. These files are analyzed, usually 1-5. Someone apprently specified \localhost\c$\windows. It's one thing that it's a intranet app.
Question is what is a good approach to prevent such misuse?
+7
A:
Two things that come to mind right away are 1) whitelisting machines and/or shares (only allow certain inputs to pass) or 2) putting some sort of sanity check on the input (if (files.Count > 10) throw new JerkException("u r a jerk")).
Talljoe
2009-06-06 04:15:06
+1
A:
In addition to monitoring the file count, you could black-list certain share names and path names (winnt, windows, temp, "program files", etc.) or specific files known to be in the windows directory could raise a flag. Obviously, you can't check for every case, but you can catch the most likely user errors.
In addition, it sounds like trouble if you have: #1) a service that touches file systems via paths manually specified by users (reminds me of a sql injection) and #2) users who know enough to try \\localhost\c$. You may need to consider better security and logging.
Doug L.
2009-06-06 08:03:33