5 Tips for Thwarting

[LisaWelch]

Hello Michael Howard:
Have saved a copy of your article until our web project nears completion.
Going through it again today - I am confused by one point. Please forgive
this inexperienced security question! In your article you mention restricting
the posts to avoid bogus filenames. You give a great snippet of code example.
Where are you able to implement that script to restrict filenames?
Thanks!
Lisa

[Michael Howard]

"LisaWelch" <lisadisc@aol.com> wrote:
>
>Hello Michael Howard:
> Have saved a copy of your article until our web project nears completion.
> Going through it again today - I am confused by one point. Please forgive
>this inexperienced security question! In your article you mention restricting
>the posts to avoid bogus filenames. You give a great snippet of code example.
>Where are you able to implement that script to restrict filenames?
>Thanks!
>Lisa

[Michael Howard]

Hi Lisa

the purpose of the script is to restrict what determines a valid filename.
what problem are you seeing and on what platform?

"LisaWelch" <lisadisc@aol.com> wrote:
>
>Hello Michael Howard:
> Have saved a copy of your article until our web project nears completion.
> Going through it again today - I am confused by one point. Please forgive
>this inexperienced security question! In your article you mention restricting
>the posts to avoid bogus filenames. You give a great snippet of code example.
>Where are you able to implement that script to restrict filenames?
>Thanks!
>Lisa

[Eli Allen]

You pass in the filename/path itself as a string. Then you check that
string by using a regular expression. If the pattern match you allow that
filename/path to do what ever it is to be used for otherwise you give an
error.
--
Eli Allen
eallen@bcpl.net

"LisaWelch" <lisadisc@aol.com> wrote in message
news:3a926af8$1@news.devx.com...
>
> Hello Michael Howard:
> Have saved a copy of your article until our web project nears
completion.
> Going through it again today - I am confused by one point. Please
forgive
> this inexperienced security question! In your article you mention
restricting
> the posts to avoid bogus filenames. You give a great snippet of code
example.
> Where are you able to implement that script to restrict filenames?
> Thanks!
> Lisa

[Michael Howard]

and be aware, the code is JScript, not VBScript :-)

"Eli Allen" <eallen@bcpl.net> wrote:
>You pass in the filename/path itself as a string. Then you check that
>string by using a regular expression. If the pattern match you allow that
>filename/path to do what ever it is to be used for otherwise you give an
>error.
>--
>Eli Allen
>eallen@bcpl.net
>
>"LisaWelch" <lisadisc@aol.com> wrote in message
>news:3a926af8$1@news.devx.com...
>>
>> Hello Michael Howard:
>> Have saved a copy of your article until our web project nears
>completion.
>> Going through it again today - I am confused by one point. Please
>forgive
>> this inexperienced security question! In your article you mention
>restricting
>> the posts to avoid bogus filenames. You give a great snippet of code
>example.
>> Where are you able to implement that script to restrict filenames?
>> Thanks!
>> Lisa
>
>

[LisaWelch]

OK - I must be asking a REALLY dense question...but let me try again....WHERE
do you place this bit of code in order to catch a request for a filename?

Are you building pages - that take the filenames as input? Then you post
the requested pages if it fits the correct pattern expression?

Is there an event of the session object - that you trap for in global.asa
where you can check the validity of the requested file prior to posting it?

Is it JScript on the client run in a window_onunload event?

I must be truly missing the big picture - and I thank you all for your time.

Lisa





"Michael Howard" <mikehow@microsoft.com> wrote:
>
>and be aware, the code is JScript, not VBScript :-)
>
>"Eli Allen" <eallen@bcpl.net> wrote:
>>You pass in the filename/path itself as a string. Then you check that
>>string by using a regular expression. If the pattern match you allow that
>>filename/path to do what ever it is to be used for otherwise you give an
>>error.
>>--
>>Eli Allen
>>eallen@bcpl.net
>>
>>"LisaWelch" <lisadisc@aol.com> wrote in message
>>news:3a926af8$1@news.devx.com...
>>>
>>> Hello Michael Howard:
>>> Have saved a copy of your article until our web project nears
>>completion.
>>> Going through it again today - I am confused by one point. Please
>>forgive
>>> this inexperienced security question! In your article you mention
>>restricting
>>> the posts to avoid bogus filenames. You give a great snippet of code
>>example.
>>> Where are you able to implement that script to restrict filenames?
>>> Thanks!
>>> Lisa
>>
>>
>

[Eli Allen]

But that problem is easy to fix. I mean port the code to VBscript...
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a957fb6$1@news.devx.com...
>
> and be aware, the code is JScript, not VBScript :-)
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >You pass in the filename/path itself as a string. Then you check that
> >string by using a regular expression. If the pattern match you allow
that
> >filename/path to do what ever it is to be used for otherwise you give an
> >error.
> >--
> >Eli Allen
> >eallen@bcpl.net
> >

[Eli Allen]

You have a form that gets a filename/path and submits that information to an
asp page. You then check the string being passed in using a regular
expression on the page being submitted too. If the pattern matches do what
ever is to be done with the file. If it fails give an error.

For example say you have a page called makerequest.asp with a form on it
that submits to handlerequest.asp. The purpose of the form is to ask for a
file name the user wants to display (assuming its a html/asp file) so the
form contains a text box to type in the filename w/ path. The user could
then submit "test/sample.htm" to the handlerequest.asp page. The
handlerequest.asp page then checks the string being sent to it against the
regular expression. If the pattern fails it gives an error message if it
matches then it does an include of the file and sends that to the user.

global.asa will not help for doing this. Well it may be a good spot to
stick the regular expression pattern so you use the same one throughout the
site but thats more a code style issue.

Never run it on the client. Well you could run it on the client just to
have a better error message but the real testing should be server side so
that someone can't get around the security check.

--
Eli Allen
eallen@bcpl.net

"LisaWelch" <lisadisc@aol.com> wrote in message
news:3a958832$1@news.devx.com...
>
> OK - I must be asking a REALLY dense question...but let me try
again....WHERE
> do you place this bit of code in order to catch a request for a filename?
>
> Are you building pages - that take the filenames as input? Then you post
> the requested pages if it fits the correct pattern expression?
>
> Is there an event of the session object - that you trap for in global.asa
> where you can check the validity of the requested file prior to posting
it?
>
> Is it JScript on the client run in a window_onunload event?
>
> I must be truly missing the big picture - and I thank you all for your
time.
>
> Lisa
>
>
>
>
>
> "Michael Howard" <mikehow@microsoft.com> wrote:
> >
> >and be aware, the code is JScript, not VBScript :-)
> >
> >"Eli Allen" <eallen@bcpl.net> wrote:
> >>You pass in the filename/path itself as a string. Then you check that
> >>string by using a regular expression. If the pattern match you allow
that
> >>filename/path to do what ever it is to be used for otherwise you give an
> >>error.
> >>--
> >>Eli Allen
> >>eallen@bcpl.net
> >>
> >>"LisaWelch" <lisadisc@aol.com> wrote in message
> >>news:3a926af8$1@news.devx.com...
> >>>
> >>> Hello Michael Howard:
> >>> Have saved a copy of your article until our web project nears
> >>completion.
> >>> Going through it again today - I am confused by one point. Please
> >>forgive
> >>> this inexperienced security question! In your article you mention
> >>restricting
> >>> the posts to avoid bogus filenames. You give a great snippet of code
> >>example.
> >>> Where are you able to implement that script to restrict filenames?
> >>> Thanks!
> >>> Lisa
> >>
> >>
> >
>

[LisaWelch]

Thanks
I'm somewhat relieved to know that I'm not missing some master event that
can detect all requests - but that would have been nice to have!

In any event I guess its time to become familiar with the "Opener" property.

Lisa

"Eli Allen" <eallen@bcpl.net> wrote:
>You have a form that gets a filename/path and submits that information to
an
>asp page. You then check the string being passed in using a regular
>expression on the page being submitted too. If the pattern matches do what
>ever is to be done with the file. If it fails give an error.
>
>For example say you have a page called makerequest.asp with a form on it
>that submits to handlerequest.asp. The purpose of the form is to ask for
a
>file name the user wants to display (assuming its a html/asp file) so the
>form contains a text box to type in the filename w/ path. The user could
>then submit "test/sample.htm" to the handlerequest.asp page. The
>handlerequest.asp page then checks the string being sent to it against the
>regular expression. If the pattern fails it gives an error message if it
>matches then it does an include of the file and sends that to the user.
>
>global.asa will not help for doing this. Well it may be a good spot to
>stick the regular expression pattern so you use the same one throughout
the
>site but thats more a code style issue.
>
>Never run it on the client. Well you could run it on the client just to
>have a better error message but the real testing should be server side so
>that someone can't get around the security check.
>
>--
>Eli Allen
>eallen@bcpl.net
>
>"LisaWelch" <lisadisc@aol.com> wrote in message
>news:3a958832$1@news.devx.com...
>>
>> OK - I must be asking a REALLY dense question...but let me try
>again....WHERE
>> do you place this bit of code in order to catch a request for a filename?
>>
>> Are you building pages - that take the filenames as input? Then you post
>> the requested pages if it fits the correct pattern expression?
>>
>> Is there an event of the session object - that you trap for in global.asa
>> where you can check the validity of the requested file prior to posting
>it?
>>
>> Is it JScript on the client run in a window_onunload event?
>>
>> I must be truly missing the big picture - and I thank you all for your
>time.
>>
>> Lisa
>>
>>
>>
>>
>>
>> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >
>> >and be aware, the code is JScript, not VBScript :-)
>> >
>> >"Eli Allen" <eallen@bcpl.net> wrote:
>> >>You pass in the filename/path itself as a string. Then you check that
>> >>string by using a regular expression. If the pattern match you allow
>that
>> >>filename/path to do what ever it is to be used for otherwise you give
an
>> >>error.
>> >>--
>> >>Eli Allen
>> >>eallen@bcpl.net
>> >>
>> >>"LisaWelch" <lisadisc@aol.com> wrote in message
>> >>news:3a926af8$1@news.devx.com...
>> >>>
>> >>> Hello Michael Howard:
>> >>> Have saved a copy of your article until our web project nears
>> >>completion.
>> >>> Going through it again today - I am confused by one point. Please
>> >>forgive
>> >>> this inexperienced security question! In your article you mention
>> >>restricting
>> >>> the posts to avoid bogus filenames. You give a great snippet of code
>> >>example.
>> >>> Where are you able to implement that script to restrict filenames?
>> >>> Thanks!
>> >>> Lisa
>> >>
>> >>
>> >
>>
>
>

[Eli Allen]

The method of opening a file does go through other checks. Whatever way you
are opening a file I'm sure has its own parser to check if the name is valid
and that the user context the asp page is running under has permission by
checking the ACL that applies to the file. The regular expression, except
for its use in providing a good error message to the user, is is used to
prevent taking advantages of any security hole left open on the server.
(either on purpose to make the asp pages work correctly or by forgetting to
secure something)

There is a way to simulate a global master event by creating a wrapper
around the action you are trying to do. You could either do it in a
compiled language like VB and create a com object to install or you could
use VBScript or Jscript directly in the web site. (well in that the code
lies in the asa/asp pages and you don't need to worry about any components)

In the object just have two private varibles. One that could be a constant
of the regular expression pattern and the other to hold the filname and
path. It would also have two methods, one to set the filename/path and
return a boolean based on if the passed in value matches the regular
expression and the other to do the actual operation and either return an
object or fill a string with the contents of the file.

Eli Allen
eallen@bcpl.net

"LisaWelch" <lisadisc@aol.com> wrote in message
news:3a95a97e$1@news.devx.com...
>
> Thanks
> I'm somewhat relieved to know that I'm not missing some master event
that
> can detect all requests - but that would have been nice to have!
>
> In any event I guess its time to become familiar with the "Opener"
property.
>
> Lisa
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >You have a form that gets a filename/path and submits that information to
> an
> >asp page. You then check the string being passed in using a regular
> >expression on the page being submitted too. If the pattern matches do
what
> >ever is to be done with the file. If it fails give an error.
> >
> >For example say you have a page called makerequest.asp with a form on it
> >that submits to handlerequest.asp. The purpose of the form is to ask for
> a
> >file name the user wants to display (assuming its a html/asp file) so the
> >form contains a text box to type in the filename w/ path. The user could
> >then submit "test/sample.htm" to the handlerequest.asp page. The
> >handlerequest.asp page then checks the string being sent to it against
the
> >regular expression. If the pattern fails it gives an error message if it
> >matches then it does an include of the file and sends that to the user.
> >
> >global.asa will not help for doing this. Well it may be a good spot to
> >stick the regular expression pattern so you use the same one throughout
> the
> >site but thats more a code style issue.
> >
> >Never run it on the client. Well you could run it on the client just to
> >have a better error message but the real testing should be server side so
> >that someone can't get around the security check.
> >
> >--
> >Eli Allen
> >eallen@bcpl.net
> >
> >"LisaWelch" <lisadisc@aol.com> wrote in message
> >news:3a958832$1@news.devx.com...
> >>
> >> OK - I must be asking a REALLY dense question...but let me try
> >again....WHERE
> >> do you place this bit of code in order to catch a request for a
filename?
> >>
> >> Are you building pages - that take the filenames as input? Then you
post
> >> the requested pages if it fits the correct pattern expression?
> >>
> >> Is there an event of the session object - that you trap for in
global.asa
> >> where you can check the validity of the requested file prior to posting
> >it?
> >>
> >> Is it JScript on the client run in a window_onunload event?
> >>
> >> I must be truly missing the big picture - and I thank you all for your
> >time.
> >>
> >> Lisa
> >>
> >>
> >>
> >>
> >>
> >> "Michael Howard" <mikehow@microsoft.com> wrote:
> >> >
> >> >and be aware, the code is JScript, not VBScript :-)
> >> >
> >> >"Eli Allen" <eallen@bcpl.net> wrote:
> >> >>You pass in the filename/path itself as a string. Then you check
that
> >> >>string by using a regular expression. If the pattern match you allow
> >that
> >> >>filename/path to do what ever it is to be used for otherwise you give
> an
> >> >>error.
> >> >>--
> >> >>Eli Allen
> >> >>eallen@bcpl.net
> >> >>
> >> >>"LisaWelch" <lisadisc@aol.com> wrote in message
> >> >>news:3a926af8$1@news.devx.com...
> >> >>>
> >> >>> Hello Michael Howard:
> >> >>> Have saved a copy of your article until our web project nears
> >> >>completion.
> >> >>> Going through it again today - I am confused by one point. Please
> >> >>forgive
> >> >>> this inexperienced security question! In your article you mention
> >> >>restricting
> >> >>> the posts to avoid bogus filenames. You give a great snippet of
code
> >> >>example.
> >> >>> Where are you able to implement that script to restrict filenames?
> >> >>> Thanks!
> >> >>> Lisa
> >> >>
> >> >>
> >> >
> >>
> >
> >
>

[Michael Howard]

anywhere you get input from the user, for example part of a form post, or
a querystring. that kind of thing!

"LisaWelch" <lisadisc@aol.com> wrote:
>
>OK - I must be asking a REALLY dense question...but let me try again....WHERE
>do you place this bit of code in order to catch a request for a filename?
>
>Are you building pages - that take the filenames as input? Then you post
>the requested pages if it fits the correct pattern expression?
>
>Is there an event of the session object - that you trap for in global.asa
>where you can check the validity of the requested file prior to posting
it?
>
>Is it JScript on the client run in a window_onunload event?
>
>I must be truly missing the big picture - and I thank you all for your time.
>
>Lisa
>
>
>
>
>
>"Michael Howard" <mikehow@microsoft.com> wrote:
>>
>>and be aware, the code is JScript, not VBScript :-)
>>
>>"Eli Allen" <eallen@bcpl.net> wrote:
>>>You pass in the filename/path itself as a string. Then you check that
>>>string by using a regular expression. If the pattern match you allow
that
>>>filename/path to do what ever it is to be used for otherwise you give
an
>>>error.
>>>--
>>>Eli Allen
>>>eallen@bcpl.net
>>>
>>>"LisaWelch" <lisadisc@aol.com> wrote in message
>>>news:3a926af8$1@news.devx.com...
>>>>
>>>> Hello Michael Howard:
>>>> Have saved a copy of your article until our web project nears
>>>completion.
>>>> Going through it again today - I am confused by one point. Please
>>>forgive
>>>> this inexperienced security question! In your article you mention
>>>restricting
>>>> the posts to avoid bogus filenames. You give a great snippet of code
>>>example.
>>>> Where are you able to implement that script to restrict filenames?
>>>> Thanks!
>>>> Lisa
>>>
>>>
>>
>