[prev in list] [next in list] [prev in thread] [next in thread]
List: ruby-talk
Subject: Re: Ensuring a file path is contained in a directory
From: Alejandro Exojo <suy () badopi ! org>
Date: 2015-01-14 23:19:03
Message-ID: 201501150019.03300.suy () badopi ! org
[Download RAW message or body]
El Tuesday 13 January 2015, Jesús Gabriel y Galán escribió:
> Honest question:
>
> Is this a fragile test? I'm by no means a security expert, but it
> looks to me that File#expand_path normalizes the path, removing "..",
> "~", so I'm interested in understanding if this could be broken:
>
> 2.0.0-p195 :001 > def is_within path,base
> 2.0.0-p195 :002?> base_expanded = File.expand_path base
> 2.0.0-p195 :003?> path_expanded = File.expand_path path,base
> 2.0.0-p195 :004?> path_expanded.start_with? base_expanded
> 2.0.0-p195 :005?> end
> => nil
There is the flaw that an extra slash might be needed:
[10] pry(main)> def is_within path, base
[10] pry(main)* base_expanded = File.expand_path base
[10] pry(main)* path_expanded = File.expand_path path, base
[10] pry(main)* path_expanded.start_with? base_expanded
[10] pry(main)* end
=> nil
[11] pry(main)> is_within '/var/foobar', '/var/foo'
=> true
I think is a little bit up to you how you define the input strings. '/var/foo'
could be a directory, or file 'foo' in directory '/var'. I tend to prefer to
clearly state what is a directory by adding a trailing slash, but tipically
APIs return paths with that trailing slash removed the same way that two
consecutive slashes are simplified as well.
--
Alex (a.k.a. suy) | GPG ID 0x0B8B0BC2
http://barnacity.net/ | http://disperso.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic