Possible Methods To Prevent Directory Traversal
A possible algorithm for preventing directory traversal would be to:
- Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.
- When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces).
- It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a length N. Assume that no files outside this directory can be served.
- Ensure that the first N characters of the fully qualified path to the requested file is exactly the same as the 'Document Root'.
- If so, allow the file to be returned.
- If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.
- Check if the string contains '..' (two periods next to each other).
- Using a hard-coded predefined file extension to suffix the path does not limit the scope of the attack to files of that file extension.
Read more about this topic: Directory Traversal Attack
Famous quotes containing the words methods, prevent and/or directory:
“Parents ought, through their own behavior and the values by which they live, to provide direction for their children. But they need to rid themselves of the idea that there are surefire methods which, when well applied, will produce certain predictable results. Whatever we do with and for our children ought to flow from our understanding of and our feelings for the particular situation and the relation we wish to exist between us and our child.”
—Bruno Bettelheim (20th century)
“To watch that world come up like a cold sun,
Rewarding others, is my liberty.
Not to prevent it is my will’s fulfilment.
Willing it, my ailment.”
—Philip Larkin (1922–1986)
“An actor who knows his business ought to be able to make the London telephone directory sound enthralling.”
—Donald Sinden (b. 1923)