Hello,
I'm finishing the last parts of the security features of the transactional
system, the access control based on current directory. As I'm writing I've
come to the point where I need to check if the path given is a child node of
a parent path which I'm constrained to.
The code looks something like this:
public bool IsParentOf(PathInfo child)
{
if (Root == string.Empty || child.Root == string.Empty)
throw new NotSupportedException("Non-rooted paths are
not supported.");
var OK = FolderAndFiles == child.FolderAndFiles;
switch (Type)
{
case PathType.Device:
OK &= child.DeviceName.ToLowerInvariant()
== DeviceName.ToLowerInvariant();
break;
case PathType.Server:
OK &= child.ServerName.ToLowerInvariant()
== ServerName.ToLowerInvariant();
break;
case PathType.IPv4:
OK &=
IPAddress.Parse(child.IPv4).Equals(IPAddress.Parse(IPv4));
break;
case PathType.IPv6:
OK &=
(IPAddress.Parse(child.IPv6).Equals(IPAddress.Parse(IPv6)))
break;
...
}
return OK;
}
As you can see I'm keeping track of a few different combinations. On Mono
paths are case sensitive, on .Net they aren't. Not that it's very common,
but this done wrong without further checks from the programmer's part would
be possible to use for privilege escalation attacks, if the admin has put
the application in a folder and another in a verbatim folder with different
casing in the path.
At some places, like in brail's view engine the absolute path isn't used and
as far as I remember, it's all lowercase, but it might matter.
What's the official line on this from the project's perspective?
Cheers,
Henrik
--
You received this message because you are subscribed to the Google Groups
"Castle Project Development List" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/castle-project-devel?hl=en.
