Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > secure file writing (escaping characters from the file name)

Reply
Thread Tools

secure file writing (escaping characters from the file name)

 
 
Constantin Gavrilescu
Guest
Posts: n/a
 
      09-12-2007
I have a cgi script that writes files on the filesystem. The files are
provided by the users. I need to save them with (almost) the same name
as the user requests. What characters I need to escape?

This is on linux. Right now the file: "Mick Jagger / Chris Jagger -
Racketeer Blues" does not get saved because of the "/" character. I
don't escape any characters now. I want to keep as many of the original
characters in the file name as I can. For the characters that cannot be
escaped, I suppose I need a translation table... to figure out what was
the original filename.

Any pointers? More importantly about escaping special characters, and
avoiding directory traversal.
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Luis Parravicini
Guest
Posts: n/a
 
      09-12-2007
On 9/12/07, Constantin Gavrilescu <(E-Mail Removed)> wrote:
> I have a cgi script that writes files on the filesystem. The files are
> provided by the users. I need to save them with (almost) the same name
> as the user requests. What characters I need to escape?
>
> This is on linux. Right now the file: "Mick Jagger / Chris Jagger -
> Racketeer Blues" does not get saved because of the "/" character. I
> don't escape any characters now. I want to keep as many of the original
> characters in the file name as I can. For the characters that cannot be
> escaped, I suppose I need a translation table... to figure out what was
> the original filename.
>
> Any pointers? More importantly about escaping special characters, and
> avoiding directory traversal.


Hi Constantin,

Maybe instead of escaping/removing any character in the filename you
can store the file with a unique name and have an index with the user
supplied filename and the name of the file in the file system?


--
Luis Parravicini
http://ktulu.com.ar/blog/

 
Reply With Quote
 
 
 
 
Constantin Gavrilescu
Guest
Posts: n/a
 
      09-12-2007
Luis Parravicini wrote:
> On 9/12/07, Constantin Gavrilescu <(E-Mail Removed)> wrote:
>>
>> Any pointers? More importantly about escaping special characters, and
>> avoiding directory traversal.

>
> Hi Constantin,
>
> Maybe instead of escaping/removing any character in the filename you
> can store the file with a unique name and have an index with the user
> supplied filename and the name of the file in the file system?



The files are also shared over the network with samba, so they need to
have a meaningful name. That's why I need to escape just the "bad
characters" and keep most of the other info in.

--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
Jonas Roberto de Goes Filho (sysdebug)
Guest
Posts: n/a
 
      09-12-2007
Constantin Gavrilescu wrote:
> Luis Parravicini wrote:
>> On 9/12/07, Constantin Gavrilescu <(E-Mail Removed)> wrote:
>>> Any pointers? More importantly about escaping special characters, and
>>> avoiding directory traversal.

>> Hi Constantin,
>>
>> Maybe instead of escaping/removing any character in the filename you
>> can store the file with a unique name and have an index with the user
>> supplied filename and the name of the file in the file system?

>
>
> The files are also shared over the network with samba, so they need to
> have a meaningful name. That's why I need to escape just the "bad
> characters" and keep most of the other info in.
>


The unique caracter not acceptable for the filename in unix is /. So,
why you not replace this caracter '/' to, for example, a blank caracter ''?

--
Jonas Roberto de Goes Filho (sysdebug)
http://goes.eti.br

 
Reply With Quote
 
Constantin Gavrilescu
Guest
Posts: n/a
 
      09-12-2007
Felix Windt wrote:
> If you only need this to work on POSIX compatible filesystems, all you
> need
> to remove are "/" (slash character, as it separates path components) and
> \000 (nul, as it terminates strings in many languages) as POSIX file
> names
> can accept all other ASCII characters.


<snip>

That's interesting...

irb(main):001:0> File.open("aa.php\000continue.jpg", "w")
=> #<File:aa.php>

Creates the file aa.php. Welcome remote code execution vulnerabilities.

irb(main):002:0> File.open("../aaa", "w")
=> #<File:../aaa>

Directory traversal. Creates "aaa" in the parent directory.

irb(main):002:0> File.open("bbb\\bbb.tst", "w")
=> #<File:bbb\bbb.tst>

Linux accepts it. I guess it can be a directory traversal in windows.
Samba exports it as BRRFFZ~N.TST
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
Carlos
Guest
Posts: n/a
 
      09-12-2007
[Constantin Gavrilescu <(E-Mail Removed)>, 2007-09-12 19.39 CEST]
> I have a cgi script that writes files on the filesystem. The files are
> provided by the users. I need to save them with (almost) the same name
> as the user requests. What characters I need to escape?
>
> This is on linux. Right now the file: "Mick Jagger / Chris Jagger -
> Racketeer Blues" does not get saved because of the "/" character. I
> don't escape any characters now. I want to keep as many of the original
> characters in the file name as I can. For the characters that cannot be
> escaped, I suppose I need a translation table... to figure out what was
> the original filename.
>
> Any pointers? More importantly about escaping special characters, and
> avoiding directory traversal.


You can "semi-URL-escape" the filenames. I mean, use the same method as
CGI::escape, but with more characters allowed. Just adapt the original
function, adding more characters to the regex to allow them, and taking out
the last #tr (spaces to "+")). It is in cgi.rb:

def CGI::escape(string)
string.gsub(/([^ a-zA-Z0-9_.-]+)/n) do
'%' + $1.unpack('H2' * $1.size).join('%').upcase
end.tr(' ', '+')
end

Later, you can easily restore the original filename with CGI::unescape.

For Unix/Linux you can let pass any character except "/" and "\000"; for
Windows/Mac OS, here is a list of forbidden characters:
http://www.xvsxp.com/files/forbidden.php

Good luck.
--

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
This page contains both secure and non secure items. A.M ASP .Net 5 06-08-2004 05:43 PM
Interrogating string for number of characters, response.writing identical number of characters on new line Ken Fine ASP General 2 02-05-2004 03:40 AM



Advertisments