Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

relating a folder and files under it with a logged in user.

Status
Not open for further replies.

rakeshou

Programmer
Aug 15, 2006
17
US
Hi all,

I am working on an online system where when the user logs on to the system a session is created, they view their folders and their uploaded files under a folder.

I am using query strings to display the list of files in a particular folder.

but the problem is, any one can change the query string value and access someone else's folder.

How can i prevent this from happening,
also please let me know what should i when the system checks for the presence of username and password entered by a user in the databse other than creating session....


help of any kind will deeply be appreciated.
 
To answer your folder question:

Limit the characters that can be used in the query string value. Since you didn't show any code, I can assume you used CGI.

Code:
use CGI;
my $cgi = new CGI;

# get the folder= from query string
my $folder = $cgi->param ('folder');

# don't allow any characters that aren't
# letters, numbers, dots, or spaces.
$folder =~ s/[^A-Za-z0-9\. ]//ig;

If you remote certain characters from the query string value, you eliminate the possibility of seeing folders you're not allowed to see... i.e. in this request:

Code:
[URL unfurl="true"]http://.../file.cgi?folder=../another_user/folder[/URL]

They're using "../" (up one directory) in the query string to get a level higher than they should and view any other user's folders. They could do the same thing to view any folder on your entire website, and sometimes, any folder on the whole server (even places that aren't public web places, such as operating system files and htpasswd files)

With that code, you allow folder names to have letters, numbers, dots, and spaces, but nothing else. So when they try something clever like "../" it removes the / and foils their attempts to circumvent your server.

This is a simple solution though. You may want /'s to be allowed to allow them to view sub-folders too, so in that case you'd want to limit double dots .. and not allow the value to begin with a /.

< regular expressions tutorial
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top