On Tuesday, 6 December 2016 at 22:28:04 UTC, aberba wrote:
https://aberba.github.io/2016/form-upload-in-vibe-d/u


Love the article! Please keep writing tutorials like this :-D.

Feedback:
1.
The upload function is (kind of) vulnerable against path traversal: moveFile(file.tempPath, Path("./public/uploads") ~ file.filename);

If a file named "../SomeOtherFile.htm" is uploaded the server will hit this assert:
https://github.com/rejectedsoftware/vibe.d/blob/master/core/vibe/core/path.d#L426
Denail of Service attack!

When the application is compiled with the release flag the assert will be omitted and the path traversal will work.

2.
It would be more beginner friendly if you also described how to add the upload function to the router.

3.
Your github link on the left side is broken. Discovered this when I was looking for a zip with the finished code.

Reply via email to