Skip to content

Be careful with using Path.Combine() #32

Open
@MarcusWichelmann

Description

@MarcusWichelmann

The code is using the C# Helper method Path.Combine() in multiple places. For example: https://github.com/FubarDevelopment/WebDavServer/blob/master/src/FubarDev.WebDavServer.FileSystem.DotNet/DotNetDirectory.cs#L101

Do you know that using this method might result in some unwanted behaviours and could cause serious security issues?
Like explained in the remarks of the API documentation (https://msdn.microsoft.com/de-de/library/fyy7a5kt%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396) the method call
Path.Combine(@"C:\MyWebDavDir", @"C:\Passwords\VerySecretFile.txt") will result in "C:\Passwords\VerySecretFile.txt".

Like in some of the methods in the DotNetFileSystem classes, the second argument of Path.Combine is often user-defined and therefore it might be possible to leave the WebDav root directory and read/write to any file on the system. At least on Windows.

I din't check the full code to make sure this is actually possible, but I'd recommend to replace every call to Path.Combine with one to an own more secure implementation.

And by the way: Many thanks for this awesome library!
Kind regards, Marcus Wichelmann

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions