Forcing file operations under a directory

M

Michael Schuerig

I'm looking for a way to force file operations under a given root
directory. Somewhat similar to chroot, but purely in Ruby.

For the surface syntax I have in mind something like this

File.with_root '/var/tmp/safe_place' do
File.open('../../etc/passwd', 'w') do |f|
f.puts 'Let's try it...' # No! -> Exception
end
end

I have, unfortunately, no clear idea how to implement File#with_root.
I'm not even sure it's possible, or possible without an inordinate
amount of work.

My concrete problem is rather more mundane and can probably be solved
easier. I have uploaded file data and paths where they ought to be
stored. I'd like to make sure that they don't escape from underneath
the top-level directory where they are supposed to stay.

Michael
 
A

ara.t.howard

I'm looking for a way to force file operations under a given root
directory. Somewhat similar to chroot, but purely in Ruby.

For the surface syntax I have in mind something like this

File.with_root '/var/tmp/safe_place' do
File.open('../../etc/passwd', 'w') do |f|
f.puts 'Let's try it...' # No! -> Exception
end
end

I have, unfortunately, no clear idea how to implement File#with_root.
I'm not even sure it's possible, or possible without an inordinate
amount of work.

My concrete problem is rather more mundane and can probably be solved
easier. I have uploaded file data and paths where they ought to be
stored. I'd like to make sure that they don't escape from underneath
the top-level directory where they are supposed to stay.

Michael
Click to expand...



Dir.chdir '/var/tmp/safe_place' do

....

end


a @ http://codeforpeople.com/
 
X

Xavier Noria

Dir.chdir '/var/tmp/safe_place' do

....

end
Click to expand...

That changes the cwd, the OP wants the block to believe that /var/tmp/
safe_place is /. Dir.entries("/") should list /var/tmp/safe_place,
system("ls /") I guess should do the same.

I it needs a system-level solution.

-- fxn
 
X

Xavier Noria

My concrete problem is rather more mundane and can probably be solved
easier. I have uploaded file data and paths where they ought to be
stored. I'd like to make sure that they don't escape from underneath
the top-level directory where they are supposed to stay.
Click to expand...

To accomplish this you sanitize the filename, then compute
File.expand_path inside a Dir.chdir block (if relative filenames are
allowed), and check whether the result is out of the root via String
comparisons on the names (regexps, etc.)

-- fxn
 
M

Michael Schuerig

To accomplish this you sanitize the filename, then compute
File.expand_path inside a Dir.chdir block (if relative filenames are
allowed), and check whether the result is out of the root via String
comparisons on the names (regexps, etc.)
Click to expand...

Yes, thanks, that's more or less what I'm doing now and relative
filenames are disallowed anyway.

Michael
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Finding all the links in a Unix file/directory path 3
Hidden file name under HTTP server directory 13
read a ruby script like you would read a text file 2
Text Print Entire Directory Tree including File Names from a FTPDirectory 3
Outputting results as html in a file 1
FAQ 5.4 How do I delete the last N lines from a file? 0
FAQ 5.2 How do I change, delete, or insert a line in a file, or append to the beginning of a file? 0
Deny web access to a directory? 0

Members online

Total: 38 (members: 3, guests: 35)
Robots: 204

Forum statistics

Threads
473,764
Messages
2,569,566
Members
45,041
Latest member
RomeoFarnh

Latest Threads

Top