Xavier Noria
11/22/2007 12:37:00 AM
On Nov 22, 2007, at 12:15 AM, Michael Schuerig wrote:
> My concrete problem is rather more mundane and can probably be solved
> easier. I have uploaded file data and paths where they ought to be
> stored. I'd like to make sure that they don't escape from underneath
> the top-level directory where they are supposed to stay.
To accomplish this you sanitize the filename, then compute
File.expand_path inside a Dir.chdir block (if relative filenames are
allowed), and check whether the result is out of the root via String
comparisons on the names (regexps, etc.)
-- fxn