[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Forcing file operations under a directory

Michael Schuerig

11/21/2007 11:16:00 PM


I'm looking for a way to force file operations under a given root
directory. Somewhat similar to chroot, but purely in Ruby.

For the surface syntax I have in mind something like this

File.with_root '/var/tmp/safe_place' do
File.open('../../etc/passwd', 'w') do |f|
f.puts 'Let's try it...' # No! -> Exception
end
end

I have, unfortunately, no clear idea how to implement File#with_root.
I'm not even sure it's possible, or possible without an inordinate
amount of work.

My concrete problem is rather more mundane and can probably be solved
easier. I have uploaded file data and paths where they ought to be
stored. I'd like to make sure that they don't escape from underneath
the top-level directory where they are supposed to stay.

Michael

--
Michael Schuerig
mailto:michael@schuerig.de
http://www.schuerig.d...
4 Answers

ara.t.howard

11/22/2007 12:10:00 AM

0


On Nov 21, 2007, at 4:15 PM, Michael Schuerig wrote:

>
> I'm looking for a way to force file operations under a given root
> directory. Somewhat similar to chroot, but purely in Ruby.
>
> For the surface syntax I have in mind something like this
>
> File.with_root '/var/tmp/safe_place' do
> File.open('../../etc/passwd', 'w') do |f|
> f.puts 'Let's try it...' # No! -> Exception
> end
> end
>
> I have, unfortunately, no clear idea how to implement File#with_root.
> I'm not even sure it's possible, or possible without an inordinate
> amount of work.
>
> My concrete problem is rather more mundane and can probably be solved
> easier. I have uploaded file data and paths where they ought to be
> stored. I'd like to make sure that they don't escape from underneath
> the top-level directory where they are supposed to stay.
>
> Michael
>
> --
> Michael Schuerig
> mailto:michael@schuerig.de
> http://www.schuerig.d...
>



Dir.chdir '/var/tmp/safe_place' do

....

end


a @ http://codeforp...
--
share your knowledge. it's a way to achieve immortality.
h.h. the 14th dalai lama

Xavier Noria

11/22/2007 12:28:00 AM

0

On Nov 22, 2007, at 1:09 AM, ara.t.howard wrote:

> Dir.chdir '/var/tmp/safe_place' do
>
> ....
>
> end

That changes the cwd, the OP wants the block to believe that /var/tmp/
safe_place is /. Dir.entries("/") should list /var/tmp/safe_place,
system("ls /") I guess should do the same.

I it needs a system-level solution.

-- fxn

Xavier Noria

11/22/2007 12:37:00 AM

0

On Nov 22, 2007, at 12:15 AM, Michael Schuerig wrote:

> My concrete problem is rather more mundane and can probably be solved
> easier. I have uploaded file data and paths where they ought to be
> stored. I'd like to make sure that they don't escape from underneath
> the top-level directory where they are supposed to stay.

To accomplish this you sanitize the filename, then compute
File.expand_path inside a Dir.chdir block (if relative filenames are
allowed), and check whether the result is out of the root via String
comparisons on the names (regexps, etc.)

-- fxn

Michael Schuerig

11/22/2007 11:22:00 PM

0

On Thursday 22 November 2007, Xavier Noria wrote:
> On Nov 22, 2007, at 12:15 AM, Michael Schuerig wrote:
> > My concrete problem is rather more mundane and can probably be
> > solved easier. I have uploaded file data and paths where they ought
> > to be stored. I'd like to make sure that they don't escape from
> > underneath the top-level directory where they are supposed to stay.
>
> To accomplish this you sanitize the filename, then compute
> File.expand_path inside a Dir.chdir block (if relative filenames are
> allowed), and check whether the result is out of the root via String
> comparisons on the names (regexps, etc.)

Yes, thanks, that's more or less what I'm doing now and relative
filenames are disallowed anyway.

Michael

--
Michael Schuerig
mailto:michael@schuerig.de
http://www.schuerig.d...