httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: FindFirstFile
Date Sat, 04 Jul 1998 20:46:14 GMT
Alexei Kosut wrote:
> 
> On Sat, 4 Jul 1998, Marc Slemko wrote:
> 
> > Oh.
> >
> > So if you do FindFirstFile on one of the varient names for a file, does it
> > give the real name or the varient?
> 
> The variant. Its only use here is to "confirm" that the file really
> exists, I suppose. If it did canonicalize the filename, then the way
> os_canonical_filename() uses it would, too.
> 
> > If it gives the varient, then it is screwed to hell.
> 
> Nah, it works as well as the rest of Windows.
> 
> I've been looking at
> mk:@ivt:pdwbase/native/sdk/win32/sys/src/filesio_4.htm ("Filename
> Conventions") and related documentation, and all I have to say is "blah".
> 
> I am now seriously thinking that os_canonical_filename(), instead of
> silently rewriting filenames to conform to Apache's idea of what a file
> should look like, should only confirm that it does. If not, it should
> return NULL and Apache can return a 403, log "%s is not a canonical form
> of a filename" and get on with life.
> 
> That would make the function simpler, too... toss out any filename with
> one of < > | " or : (none of which are valid, except the colon as a drive
> seperator), toss out any filename that has a dot or a space at the end of
> a path segment, and run GetFullPathName() on each segment, and if it
> doesn't match, toss it out. It might even check QueryDosDevice() to make
> sure someone isn't trying to mess with devices (although I don't think
> that works anyway).
> 
> This has the added benefit of not screwing up dots and slashes in
> PATH_INFO, as the current os_canonical_filename() does.

No it doesn't! That's what I spent all that energy on fixing! However,
I'm beginning to agree with you. Actually, I seem to remember I started
out agreeing but went astray somewhere down the line.

But I think that throwing stuff out for non-matching case is probably
going too far.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/

Mime
View raw message