So far seems no one bother to write a solution for this. Never mind, and I am late to publish the solution too.
The problem you would usually end up is the tricky path navigation which does something like this:
NOTE: I am using Windows to illustrate this, but on linux the similar navigation issue exists too:
C:\inetpub\mywebsite\uploads\..\default.htm
This is not nice because if you forgot to setup the default document properly this would likely delete your front page.
The solution is- you have to make sure the path is expanded properly into the native path. I found this works in .NET:
string uploadPath=GetImageUploadPath();
string fullName=Path.Combine(uploadPath, file);
FileInfo info = new FileInfo(fullName);
//Security check for the file path
if (!info.FullName.StartsWith(uploadPath)) //blow it
throw new Exception("Illegal access");
else
... //do whatever you have to do
It works because the file info object would always change the relative navigation .. to the real location, so after that you could compare the path properly for potential disallowed navigation.
0 comments:
Post a Comment