Check if path is child of directory
Jonathan M Davis
jmdavisProg at gmx.com
Sun Feb 9 16:36:21 PST 2014
On Sunday, February 09, 2014 21:09:51 Jeroen Bollen wrote:
> On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
> > I'm building a webserver using the Vibe.d library. Whenever the
> > user requests a page inside my /images/ folder; I want them to
> > output this file.
> >
> > Because there will be a lot of images present, and because
> > these are likely to change in the future, I would like to just
> > get the URL from the request, and automatically output the file.
> >
> > I am aware though, that users could perform tricks like
> > "images/../../../../sensitive_file_here". In order to prevent
> > that I would like a solid way of making sure the entered path
> > is actually inside the images directory.
> >
> > How do I do this?
>
> I just figured out vibe.d handles this automatically, but I'd
> still like to know of a secure way to do this, for future
> reference.
std.path.absolutePath will take care of any ..'s at the beginning (which
doesn't quite seem to be your problem here, but it might be useful depending
on what you're doing). However, what you probably want here is
std.path.buildNormalizedPath. Like buildPath, it can be used to construct a
path from multiple strings, but if you give it only one string, it'll still
work and will normalize it (it just won't have anything else to append to it
like it would if you were really building a path).
- Jonathan M Davis
More information about the Digitalmars-d-learn
mailing list