DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 11 of 11

Thread: 5 Tips for Thwarting

  1. #1
    LisaWelch Guest

    5 Tips for Thwarting


    Hello Michael Howard:
    Have saved a copy of your article until our web project nears completion.
    Going through it again today - I am confused by one point. Please forgive
    this inexperienced security question! In your article you mention restricting
    the posts to avoid bogus filenames. You give a great snippet of code example.
    Where are you able to implement that script to restrict filenames?
    Thanks!
    Lisa

  2. #2
    Michael Howard Guest

    Re: 5 Tips for Thwarting


    "LisaWelch" <lisadisc@aol.com> wrote:
    >
    >Hello Michael Howard:
    > Have saved a copy of your article until our web project nears completion.
    > Going through it again today - I am confused by one point. Please forgive
    >this inexperienced security question! In your article you mention restricting
    >the posts to avoid bogus filenames. You give a great snippet of code example.
    >Where are you able to implement that script to restrict filenames?
    >Thanks!
    >Lisa



  3. #3
    Michael Howard Guest

    Re: 5 Tips for Thwarting


    Hi Lisa

    the purpose of the script is to restrict what determines a valid filename.
    what problem are you seeing and on what platform?

    "LisaWelch" <lisadisc@aol.com> wrote:
    >
    >Hello Michael Howard:
    > Have saved a copy of your article until our web project nears completion.
    > Going through it again today - I am confused by one point. Please forgive
    >this inexperienced security question! In your article you mention restricting
    >the posts to avoid bogus filenames. You give a great snippet of code example.
    >Where are you able to implement that script to restrict filenames?
    >Thanks!
    >Lisa



  4. #4
    Eli Allen Guest

    Re: 5 Tips for Thwarting

    You pass in the filename/path itself as a string. Then you check that
    string by using a regular expression. If the pattern match you allow that
    filename/path to do what ever it is to be used for otherwise you give an
    error.
    --
    Eli Allen
    eallen@bcpl.net

    "LisaWelch" <lisadisc@aol.com> wrote in message
    news:3a926af8$1@news.devx.com...
    >
    > Hello Michael Howard:
    > Have saved a copy of your article until our web project nears

    completion.
    > Going through it again today - I am confused by one point. Please

    forgive
    > this inexperienced security question! In your article you mention

    restricting
    > the posts to avoid bogus filenames. You give a great snippet of code

    example.
    > Where are you able to implement that script to restrict filenames?
    > Thanks!
    > Lisa




  5. #5
    Michael Howard Guest

    Re: 5 Tips for Thwarting


    and be aware, the code is JScript, not VBScript :-)

    "Eli Allen" <eallen@bcpl.net> wrote:
    >You pass in the filename/path itself as a string. Then you check that
    >string by using a regular expression. If the pattern match you allow that
    >filename/path to do what ever it is to be used for otherwise you give an
    >error.
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"LisaWelch" <lisadisc@aol.com> wrote in message
    >news:3a926af8$1@news.devx.com...
    >>
    >> Hello Michael Howard:
    >> Have saved a copy of your article until our web project nears

    >completion.
    >> Going through it again today - I am confused by one point. Please

    >forgive
    >> this inexperienced security question! In your article you mention

    >restricting
    >> the posts to avoid bogus filenames. You give a great snippet of code

    >example.
    >> Where are you able to implement that script to restrict filenames?
    >> Thanks!
    >> Lisa

    >
    >



  6. #6
    LisaWelch Guest

    Re: 5 Tips for Thwarting


    OK - I must be asking a REALLY dense question...but let me try again....WHERE
    do you place this bit of code in order to catch a request for a filename?

    Are you building pages - that take the filenames as input? Then you post
    the requested pages if it fits the correct pattern expression?

    Is there an event of the session object - that you trap for in global.asa
    where you can check the validity of the requested file prior to posting it?

    Is it JScript on the client run in a window_onunload event?

    I must be truly missing the big picture - and I thank you all for your time.

    Lisa





    "Michael Howard" <mikehow@microsoft.com> wrote:
    >
    >and be aware, the code is JScript, not VBScript :-)
    >
    >"Eli Allen" <eallen@bcpl.net> wrote:
    >>You pass in the filename/path itself as a string. Then you check that
    >>string by using a regular expression. If the pattern match you allow that
    >>filename/path to do what ever it is to be used for otherwise you give an
    >>error.
    >>--
    >>Eli Allen
    >>eallen@bcpl.net
    >>
    >>"LisaWelch" <lisadisc@aol.com> wrote in message
    >>news:3a926af8$1@news.devx.com...
    >>>
    >>> Hello Michael Howard:
    >>> Have saved a copy of your article until our web project nears

    >>completion.
    >>> Going through it again today - I am confused by one point. Please

    >>forgive
    >>> this inexperienced security question! In your article you mention

    >>restricting
    >>> the posts to avoid bogus filenames. You give a great snippet of code

    >>example.
    >>> Where are you able to implement that script to restrict filenames?
    >>> Thanks!
    >>> Lisa

    >>
    >>

    >



  7. #7
    Eli Allen Guest

    Re: 5 Tips for Thwarting

    But that problem is easy to fix. I mean port the code to VBscript...
    --
    Eli Allen
    eallen@bcpl.net

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:3a957fb6$1@news.devx.com...
    >
    > and be aware, the code is JScript, not VBScript :-)
    >
    > "Eli Allen" <eallen@bcpl.net> wrote:
    > >You pass in the filename/path itself as a string. Then you check that
    > >string by using a regular expression. If the pattern match you allow

    that
    > >filename/path to do what ever it is to be used for otherwise you give an
    > >error.
    > >--
    > >Eli Allen
    > >eallen@bcpl.net
    > >




  8. #8
    Eli Allen Guest

    Re: 5 Tips for Thwarting

    You have a form that gets a filename/path and submits that information to an
    asp page. You then check the string being passed in using a regular
    expression on the page being submitted too. If the pattern matches do what
    ever is to be done with the file. If it fails give an error.

    For example say you have a page called makerequest.asp with a form on it
    that submits to handlerequest.asp. The purpose of the form is to ask for a
    file name the user wants to display (assuming its a html/asp file) so the
    form contains a text box to type in the filename w/ path. The user could
    then submit "test/sample.htm" to the handlerequest.asp page. The
    handlerequest.asp page then checks the string being sent to it against the
    regular expression. If the pattern fails it gives an error message if it
    matches then it does an include of the file and sends that to the user.

    global.asa will not help for doing this. Well it may be a good spot to
    stick the regular expression pattern so you use the same one throughout the
    site but thats more a code style issue.

    Never run it on the client. Well you could run it on the client just to
    have a better error message but the real testing should be server side so
    that someone can't get around the security check.

    --
    Eli Allen
    eallen@bcpl.net

    "LisaWelch" <lisadisc@aol.com> wrote in message
    news:3a958832$1@news.devx.com...
    >
    > OK - I must be asking a REALLY dense question...but let me try

    again....WHERE
    > do you place this bit of code in order to catch a request for a filename?
    >
    > Are you building pages - that take the filenames as input? Then you post
    > the requested pages if it fits the correct pattern expression?
    >
    > Is there an event of the session object - that you trap for in global.asa
    > where you can check the validity of the requested file prior to posting

    it?
    >
    > Is it JScript on the client run in a window_onunload event?
    >
    > I must be truly missing the big picture - and I thank you all for your

    time.
    >
    > Lisa
    >
    >
    >
    >
    >
    > "Michael Howard" <mikehow@microsoft.com> wrote:
    > >
    > >and be aware, the code is JScript, not VBScript :-)
    > >
    > >"Eli Allen" <eallen@bcpl.net> wrote:
    > >>You pass in the filename/path itself as a string. Then you check that
    > >>string by using a regular expression. If the pattern match you allow

    that
    > >>filename/path to do what ever it is to be used for otherwise you give an
    > >>error.
    > >>--
    > >>Eli Allen
    > >>eallen@bcpl.net
    > >>
    > >>"LisaWelch" <lisadisc@aol.com> wrote in message
    > >>news:3a926af8$1@news.devx.com...
    > >>>
    > >>> Hello Michael Howard:
    > >>> Have saved a copy of your article until our web project nears
    > >>completion.
    > >>> Going through it again today - I am confused by one point. Please
    > >>forgive
    > >>> this inexperienced security question! In your article you mention
    > >>restricting
    > >>> the posts to avoid bogus filenames. You give a great snippet of code
    > >>example.
    > >>> Where are you able to implement that script to restrict filenames?
    > >>> Thanks!
    > >>> Lisa
    > >>
    > >>

    > >

    >




  9. #9
    LisaWelch Guest

    Re: 5 Tips for Thwarting


    Thanks
    I'm somewhat relieved to know that I'm not missing some master event that
    can detect all requests - but that would have been nice to have!

    In any event I guess its time to become familiar with the "Opener" property.

    Lisa

    "Eli Allen" <eallen@bcpl.net> wrote:
    >You have a form that gets a filename/path and submits that information to

    an
    >asp page. You then check the string being passed in using a regular
    >expression on the page being submitted too. If the pattern matches do what
    >ever is to be done with the file. If it fails give an error.
    >
    >For example say you have a page called makerequest.asp with a form on it
    >that submits to handlerequest.asp. The purpose of the form is to ask for

    a
    >file name the user wants to display (assuming its a html/asp file) so the
    >form contains a text box to type in the filename w/ path. The user could
    >then submit "test/sample.htm" to the handlerequest.asp page. The
    >handlerequest.asp page then checks the string being sent to it against the
    >regular expression. If the pattern fails it gives an error message if it
    >matches then it does an include of the file and sends that to the user.
    >
    >global.asa will not help for doing this. Well it may be a good spot to
    >stick the regular expression pattern so you use the same one throughout

    the
    >site but thats more a code style issue.
    >
    >Never run it on the client. Well you could run it on the client just to
    >have a better error message but the real testing should be server side so
    >that someone can't get around the security check.
    >
    >--
    >Eli Allen
    >eallen@bcpl.net
    >
    >"LisaWelch" <lisadisc@aol.com> wrote in message
    >news:3a958832$1@news.devx.com...
    >>
    >> OK - I must be asking a REALLY dense question...but let me try

    >again....WHERE
    >> do you place this bit of code in order to catch a request for a filename?
    >>
    >> Are you building pages - that take the filenames as input? Then you post
    >> the requested pages if it fits the correct pattern expression?
    >>
    >> Is there an event of the session object - that you trap for in global.asa
    >> where you can check the validity of the requested file prior to posting

    >it?
    >>
    >> Is it JScript on the client run in a window_onunload event?
    >>
    >> I must be truly missing the big picture - and I thank you all for your

    >time.
    >>
    >> Lisa
    >>
    >>
    >>
    >>
    >>
    >> "Michael Howard" <mikehow@microsoft.com> wrote:
    >> >
    >> >and be aware, the code is JScript, not VBScript :-)
    >> >
    >> >"Eli Allen" <eallen@bcpl.net> wrote:
    >> >>You pass in the filename/path itself as a string. Then you check that
    >> >>string by using a regular expression. If the pattern match you allow

    >that
    >> >>filename/path to do what ever it is to be used for otherwise you give

    an
    >> >>error.
    >> >>--
    >> >>Eli Allen
    >> >>eallen@bcpl.net
    >> >>
    >> >>"LisaWelch" <lisadisc@aol.com> wrote in message
    >> >>news:3a926af8$1@news.devx.com...
    >> >>>
    >> >>> Hello Michael Howard:
    >> >>> Have saved a copy of your article until our web project nears
    >> >>completion.
    >> >>> Going through it again today - I am confused by one point. Please
    >> >>forgive
    >> >>> this inexperienced security question! In your article you mention
    >> >>restricting
    >> >>> the posts to avoid bogus filenames. You give a great snippet of code
    >> >>example.
    >> >>> Where are you able to implement that script to restrict filenames?
    >> >>> Thanks!
    >> >>> Lisa
    >> >>
    >> >>
    >> >

    >>

    >
    >



  10. #10
    Eli Allen Guest

    Re: 5 Tips for Thwarting

    The method of opening a file does go through other checks. Whatever way you
    are opening a file I'm sure has its own parser to check if the name is valid
    and that the user context the asp page is running under has permission by
    checking the ACL that applies to the file. The regular expression, except
    for its use in providing a good error message to the user, is is used to
    prevent taking advantages of any security hole left open on the server.
    (either on purpose to make the asp pages work correctly or by forgetting to
    secure something)

    There is a way to simulate a global master event by creating a wrapper
    around the action you are trying to do. You could either do it in a
    compiled language like VB and create a com object to install or you could
    use VBScript or Jscript directly in the web site. (well in that the code
    lies in the asa/asp pages and you don't need to worry about any components)

    In the object just have two private varibles. One that could be a constant
    of the regular expression pattern and the other to hold the filname and
    path. It would also have two methods, one to set the filename/path and
    return a boolean based on if the passed in value matches the regular
    expression and the other to do the actual operation and either return an
    object or fill a string with the contents of the file.

    Eli Allen
    eallen@bcpl.net

    "LisaWelch" <lisadisc@aol.com> wrote in message
    news:3a95a97e$1@news.devx.com...
    >
    > Thanks
    > I'm somewhat relieved to know that I'm not missing some master event

    that
    > can detect all requests - but that would have been nice to have!
    >
    > In any event I guess its time to become familiar with the "Opener"

    property.
    >
    > Lisa
    >
    > "Eli Allen" <eallen@bcpl.net> wrote:
    > >You have a form that gets a filename/path and submits that information to

    > an
    > >asp page. You then check the string being passed in using a regular
    > >expression on the page being submitted too. If the pattern matches do

    what
    > >ever is to be done with the file. If it fails give an error.
    > >
    > >For example say you have a page called makerequest.asp with a form on it
    > >that submits to handlerequest.asp. The purpose of the form is to ask for

    > a
    > >file name the user wants to display (assuming its a html/asp file) so the
    > >form contains a text box to type in the filename w/ path. The user could
    > >then submit "test/sample.htm" to the handlerequest.asp page. The
    > >handlerequest.asp page then checks the string being sent to it against

    the
    > >regular expression. If the pattern fails it gives an error message if it
    > >matches then it does an include of the file and sends that to the user.
    > >
    > >global.asa will not help for doing this. Well it may be a good spot to
    > >stick the regular expression pattern so you use the same one throughout

    > the
    > >site but thats more a code style issue.
    > >
    > >Never run it on the client. Well you could run it on the client just to
    > >have a better error message but the real testing should be server side so
    > >that someone can't get around the security check.
    > >
    > >--
    > >Eli Allen
    > >eallen@bcpl.net
    > >
    > >"LisaWelch" <lisadisc@aol.com> wrote in message
    > >news:3a958832$1@news.devx.com...
    > >>
    > >> OK - I must be asking a REALLY dense question...but let me try

    > >again....WHERE
    > >> do you place this bit of code in order to catch a request for a

    filename?
    > >>
    > >> Are you building pages - that take the filenames as input? Then you

    post
    > >> the requested pages if it fits the correct pattern expression?
    > >>
    > >> Is there an event of the session object - that you trap for in

    global.asa
    > >> where you can check the validity of the requested file prior to posting

    > >it?
    > >>
    > >> Is it JScript on the client run in a window_onunload event?
    > >>
    > >> I must be truly missing the big picture - and I thank you all for your

    > >time.
    > >>
    > >> Lisa
    > >>
    > >>
    > >>
    > >>
    > >>
    > >> "Michael Howard" <mikehow@microsoft.com> wrote:
    > >> >
    > >> >and be aware, the code is JScript, not VBScript :-)
    > >> >
    > >> >"Eli Allen" <eallen@bcpl.net> wrote:
    > >> >>You pass in the filename/path itself as a string. Then you check

    that
    > >> >>string by using a regular expression. If the pattern match you allow

    > >that
    > >> >>filename/path to do what ever it is to be used for otherwise you give

    > an
    > >> >>error.
    > >> >>--
    > >> >>Eli Allen
    > >> >>eallen@bcpl.net
    > >> >>
    > >> >>"LisaWelch" <lisadisc@aol.com> wrote in message
    > >> >>news:3a926af8$1@news.devx.com...
    > >> >>>
    > >> >>> Hello Michael Howard:
    > >> >>> Have saved a copy of your article until our web project nears
    > >> >>completion.
    > >> >>> Going through it again today - I am confused by one point. Please
    > >> >>forgive
    > >> >>> this inexperienced security question! In your article you mention
    > >> >>restricting
    > >> >>> the posts to avoid bogus filenames. You give a great snippet of

    code
    > >> >>example.
    > >> >>> Where are you able to implement that script to restrict filenames?
    > >> >>> Thanks!
    > >> >>> Lisa
    > >> >>
    > >> >>
    > >> >
    > >>

    > >
    > >

    >




  11. #11
    Michael Howard Guest

    Re: 5 Tips for Thwarting


    anywhere you get input from the user, for example part of a form post, or
    a querystring. that kind of thing!

    "LisaWelch" <lisadisc@aol.com> wrote:
    >
    >OK - I must be asking a REALLY dense question...but let me try again....WHERE
    >do you place this bit of code in order to catch a request for a filename?
    >
    >Are you building pages - that take the filenames as input? Then you post
    >the requested pages if it fits the correct pattern expression?
    >
    >Is there an event of the session object - that you trap for in global.asa
    >where you can check the validity of the requested file prior to posting

    it?
    >
    >Is it JScript on the client run in a window_onunload event?
    >
    >I must be truly missing the big picture - and I thank you all for your time.
    >
    >Lisa
    >
    >
    >
    >
    >
    >"Michael Howard" <mikehow@microsoft.com> wrote:
    >>
    >>and be aware, the code is JScript, not VBScript :-)
    >>
    >>"Eli Allen" <eallen@bcpl.net> wrote:
    >>>You pass in the filename/path itself as a string. Then you check that
    >>>string by using a regular expression. If the pattern match you allow

    that
    >>>filename/path to do what ever it is to be used for otherwise you give

    an
    >>>error.
    >>>--
    >>>Eli Allen
    >>>eallen@bcpl.net
    >>>
    >>>"LisaWelch" <lisadisc@aol.com> wrote in message
    >>>news:3a926af8$1@news.devx.com...
    >>>>
    >>>> Hello Michael Howard:
    >>>> Have saved a copy of your article until our web project nears
    >>>completion.
    >>>> Going through it again today - I am confused by one point. Please
    >>>forgive
    >>>> this inexperienced security question! In your article you mention
    >>>restricting
    >>>> the posts to avoid bogus filenames. You give a great snippet of code
    >>>example.
    >>>> Where are you able to implement that script to restrict filenames?
    >>>> Thanks!
    >>>> Lisa
    >>>
    >>>

    >>

    >



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center