Need help with file manipulation

Started by Gregjazz, Mon 08/08/2005 07:38:09

Previous topic - Next topic
Print
# Go Down Pages 1 2 All
User actions

Pumaman

#20
Wed 10/08/2005 18:51:33
Restricting to subdirectories is actually more tricky because there are various sneaky tricks that people can use to get around path checking. I'm sure you've heard of security holes in software like IIS where you can specify the path as "subdir\..\..\..\windows\system32\driver.sys" and so forth.

The present method of simply disallowing / and \ characters in the path is the safest way of doing things.

Anyway, since there's support for FileRename and FileDelete I'll certainly consider them for a future version.

GarageGothic

#22
Thu 11/08/2005 02:48:03
Quote from: Pumaman on Wed 10/08/2005 18:51:33
Restricting to subdirectories is actually more tricky because there are various sneaky tricks that people can use to get around path checking. I'm sure you've heard of security holes in software like IIS where you can specify the path as "subdir\..\..\..\windows\system32\driver.sys" and so forth.The present method of simply disallowing / and \ characters in the path is the safest way of doing things.

Why not just disallow multiple periods? I see little need for more full stops in a file name than the one preceeding the file extension.

Gilbert

#23
Thu 11/08/2005 12:56:16
Still, that doesn't help if you do something like:
FileDelete("\aut0exec.bat");

GarageGothic

#24
Thu 11/08/2005 14:19:57
Would that first slash take you to the root directory? I didn't know that. But wouldn't banning the first character from being a backslash guard against that? Or do you mean that autoexec.bat is in the path so it's accessible from anywhere?

Snarky

#25
Thu 11/08/2005 15:04:45
Couldn't you take the path and the filename as two separate parameters? That way you could check to see which directory the path resolved to, and then only perform the action if it is the game directory or a subdirectory. (Of course, you'd have to make sure there's no path fragment in the filename, by simply disallowing \ and / in that string.)

Gilbert

#26
Fri 12/08/2005 01:58:08
I think one reasonable implication is:

FileDelete(String name, String path="");

where / \ : and . are not allowed in both parameters (should generate a warning and crash out).

However, I doubt if it's really that important to go through all these problems.
Print
Go Up Pages 1 2 All
User actions
SMF spam blocked by CleanTalk