Yesterday I was pointed out that there is a security problem with my code. I was coding the async file uploader (will post it little later) and it is able to delete unused files as well. It is done with a post of a filename and that filename is stored in a hidden input. Everything is fine with that but the problem is in my usage of the Path.Combine method.
Here is a snippet:
So if you want to use path combine - make sure that the last part of it is only a filename, not the whole path as it can overwrite the whole result! And as aa side-note
Here is a snippet:
var p1 = "C:\\Test"; var p2 = "C:\\NOT_A_TEST\\File.txt"; var p3 = "File.txt"; Console.WriteLine(Path.Combine(p1, p2)); //result is "C:\NOT_A_TEST\File.txt" Console.WriteLine(Path.Combine(p1, p3)); //all good - C:\Test\File.txt //and 2 safe methods: Console.WriteLine(Path.Combine(p1, Path.GetFileName(p2))); Console.WriteLine(Path.Combine(p1, Path.GetFileName(p3)));
So if you want to use path combine - make sure that the last part of it is only a filename, not the whole path as it can overwrite the whole result! And as aa side-note
Console.WriteLine(Path.GetFileNameWithoutExtension("C:\\Test\\test.txt"));
Will return 'test', so it is as safe as Path.GetFileName.
No comments:
Post a Comment