Re: IRM Security Advisory 002: Netware Web Server Source Disclosure

[Alun Jones <alun () texis com>]

At 04:53 AM 12/21/2001, Ulf Harnhammar wrote:
> On Thu, 20 Dec 2001, eNowak IGF remote wrote:
>
> >       // only read file which is under the secure sewse path -- hence 
> filtering ".."
> >       if ((argv[i]).indexOf("..") != -1)
> >       { return "Cannot read from insecure path."; }
>
> This fix does not seem to allow people to use filenames that include the
> characters ".." (i e, "my_document..ulf.txt" is not valid). It is probably
> better to parse the file name, so you know what parts are directories and
> what part is the file name, and then check the directory parts for the
> exact strings "." and "..".

Better still, and more likely to catch things that you're not expecting, is 
to construct the full absolute path of the target file, and compare _that_, 
not the user's input, to a validation rule set.

Your own solution, for instance, doesn't catch certain OS's choice to use 
"..." to represent "two directories up", nor does it catch "//" in the 
middle of a path.  Better to expand to a full path, and then do the comparison.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun () texis com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.