www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.learn - Check if path is child of directory

reply "Jeroen Bollen" <jbinero gmail.com> writes:
I'm building a webserver using the Vibe.d library. Whenever the 
user requests a page inside my /images/ folder; I want them to 
output this file.

Because there will be a lot of images present, and because these 
are likely to change in the future, I would like to just get the 
URL from the request, and automatically output the file.

I am aware though, that users could perform tricks like 
"images/../../../../sensitive_file_here". In order to prevent 
that I would like a solid way of making sure the entered path is 
actually inside the images directory.

How do I do this?
Feb 09 2014
next sibling parent reply "Jeroen Bollen" <jbinero gmail.com> writes:
On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever the 
 user requests a page inside my /images/ folder; I want them to 
 output this file.

 Because there will be a lot of images present, and because 
 these are likely to change in the future, I would like to just 
 get the URL from the request, and automatically output the file.

 I am aware though, that users could perform tricks like 
 "images/../../../../sensitive_file_here". In order to prevent 
 that I would like a solid way of making sure the entered path 
 is actually inside the images directory.

 How do I do this?
I just figured out vibe.d handles this automatically, but I'd still like to know of a secure way to do this, for future reference.
Feb 09 2014
parent Jonathan M Davis <jmdavisProg gmx.com> writes:
On Sunday, February 09, 2014 21:09:51 Jeroen Bollen wrote:
 On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever the
 user requests a page inside my /images/ folder; I want them to
 output this file.
 
 Because there will be a lot of images present, and because
 these are likely to change in the future, I would like to just
 get the URL from the request, and automatically output the file.
 
 I am aware though, that users could perform tricks like
 "images/../../../../sensitive_file_here". In order to prevent
 that I would like a solid way of making sure the entered path
 is actually inside the images directory.
 
 How do I do this?
I just figured out vibe.d handles this automatically, but I'd still like to know of a secure way to do this, for future reference.
std.path.absolutePath will take care of any ..'s at the beginning (which doesn't quite seem to be your problem here, but it might be useful depending on what you're doing). However, what you probably want here is std.path.buildNormalizedPath. Like buildPath, it can be used to construct a path from multiple strings, but if you give it only one string, it'll still work and will normalize it (it just won't have anything else to append to it like it would if you were really building a path). - Jonathan M Davis
Feb 09 2014
prev sibling parent reply "Jesse Phillips" <Jesse.K.Phillips+D gmail.com> writes:
On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever the 
 user requests a page inside my /images/ folder; I want them to 
 output this file.

 Because there will be a lot of images present, and because 
 these are likely to change in the future, I would like to just 
 get the URL from the request, and automatically output the file.

 I am aware though, that users could perform tricks like 
 "images/../../../../sensitive_file_here". In order to prevent 
 that I would like a solid way of making sure the entered path 
 is actually inside the images directory.

 How do I do this?
You can remove the directory navigation with std.path.buildNormalizedPath, not sure the behavior on a relative path, but you could call std.path.absolutePath first.
Feb 09 2014
parent "Jeroen Bollen" <jbinero gmail.com> writes:
On Monday, 10 February 2014 at 00:44:23 UTC, Jesse Phillips wrote:
 On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever 
 the user requests a page inside my /images/ folder; I want 
 them to output this file.

 Because there will be a lot of images present, and because 
 these are likely to change in the future, I would like to just 
 get the URL from the request, and automatically output the 
 file.

 I am aware though, that users could perform tricks like 
 "images/../../../../sensitive_file_here". In order to prevent 
 that I would like a solid way of making sure the entered path 
 is actually inside the images directory.

 How do I do this?
You can remove the directory navigation with std.path.buildNormalizedPath, not sure the behavior on a relative path, but you could call std.path.absolutePath first.
Would that be relative to the working directory? Would "./../" still work?
Feb 10 2014