Tutorial: Form upload in vibe.d
NVolcz via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Thu Dec 8 12:48:52 PST 2016
On Tuesday, 6 December 2016 at 22:28:04 UTC, aberba wrote:
> https://aberba.github.io/2016/form-upload-in-vibe-d/u
Love the article! Please keep writing tutorials like this :-D.
Feedback:
1.
The upload function is (kind of) vulnerable against path
traversal:
moveFile(file.tempPath, Path("./public/uploads") ~
file.filename);
If a file named "../SomeOtherFile.htm" is uploaded the server
will hit this assert:
https://github.com/rejectedsoftware/vibe.d/blob/master/core/vibe/core/path.d#L426
Denail of Service attack!
When the application is compiled with the release flag the assert
will be omitted and the path traversal will work.
2.
It would be more beginner friendly if you also described how to
add the upload function to the router.
3.
Your github link on the left side is broken. Discovered this when
I was looking for a zip with the finished code.
More information about the Digitalmars-d-announce
mailing list