Forum: Ruby New webserver

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Stuart B. (Guest)
on 2006-06-05 16:52
Im designing a webserver as my first project on Ruby

I need help with this line

fileLine.sub(/\.\.\//, '')

this is to remove any "../" that occur due to users trying to brake in,
or by accident ;)

However, this only removes the first instance of the ../ how do I remove
every instance?

Many thanks

Stuart
Jon L. (Guest)
on 2006-06-05 16:58
(Received via mailing list)
gsub
Edgardo H. (Guest)
on 2006-06-05 17:02
(Received via mailing list)
On 6/5/06, Stuart B. <removed_email_address@domain.invalid> wrote:
> However, this only removes the first instance of the ../ how do I remove
> every instance?


I think you're looking for gsub.

Cheers,
Ed
--
Encontrá a "Tu psicópata favorito" http://tuxmaniac.blogspot.com

Thou shalt study thy libraries and strive not to reinvent them without
cause,
that thy code may be short and readable and thy days pleasant and
productive.
-- Seventh commandment for C programmers
Mariano K. (Guest)
on 2006-06-05 17:20
(Received via mailing list)
Hi Stuart,

   not sure if it is a good idea to handle security on this level, but
you can try gsub instead of sub to replace all occurrences.

Cheers,
Mariano
Stuart B. (Guest)
on 2006-06-05 18:45
Thanks all, this worked fine

def self.path(path)
fileLine = path[1].strip
fileLine = fileLine.gsub(/\.\//, '')
fileLine = fileLine.gsub(/\/\./, '')
fileLine = fileLine.gsub(/\\/, '')
fileLine = fileLine.gsub(/\.{2,}/, '')
fileLine = fileLine.gsub(/\/{2,}/, '')
fileLine = "/srv/www/htdocs/" + fileLine
return fileLine
end

Is there a way of making it look prettier?

I'm trying to stop people using the address bar to access parts of the
system the should not

Many thanks all

Stuart
Mat S. (Guest)
on 2006-06-05 19:00
(Received via mailing list)
On Jun 5, 2006, at 10:45 AM, Stuart B. wrote:

> return fileLine
> end
>
> Is there a way of making it look prettier?
>
> I'm trying to stop people using the address bar to access parts of the
> system the should not
>
> Many thanks all
>
> Stuart

def self.path(path)
   [/\.\//, /\/\./, /\\/, /\.{2,}/, /\/{2,}/].each do |exp|
     fileLine.gsub!(exp, '')
   end
   "/srv/www/htdocs/" + fileLine
end
James G. (Guest)
on 2006-06-05 19:00
(Received via mailing list)
On Jun 5, 2006, at 9:45 AM, Stuart B. wrote:

> return fileLine
> end
>
> Is there a way of making it look prettier?

Perhaps:

def self.path(path)
   path.first.strip.
        gusb(...).
        gsub(...).
        ...
end

Again, Ruby naming conventions are file_line, not fileLine.  Have to
start adopting typical Ruby style so you can get Rubyists interested
in your web server.

James Edward G. II
Mariano K. (Guest)
on 2006-06-05 19:04
(Received via mailing list)
Stuart B. wrote:
>
> Is there a way of making it look prettier?
>
> I'm trying to stop people using the address bar to access parts of the
> system the should not
Stuart,

   why do you try to solve this problem on the string level?

   Wouldn't it make more sense to rely on the OS authorization scheme?
On Unix you can set permissions on files and directories. You can also
start a server using chroot so that nobody can break out (i.e. go up) of
the designated directory/sandbox.

   If you go for the string way, you might need to check if different
encodings of URIs can bust you regexps.

Cheers,
Mariano
Alex Y. (Guest)
on 2006-06-05 19:25
(Received via mailing list)
Stuart B. wrote:
> return fileLine
> end
>
> Is there a way of making it look prettier?
>
> I'm trying to stop people using the address bar to access parts of the
> system the should not

In addition to what others have said, have a look at File.expand_path.
Daniel S. (Guest)
on 2006-06-06 03:59
(Received via mailing list)
> -----Original Message-----
> From: removed_email_address@domain.invalid
> [mailto:removed_email_address@domain.invalid] On Behalf Of Stuart B.
> Subject: New webserver
>
> Im designing a webserver as my first project on Ruby
>
> I need help with this line
>
> fileLine.sub(/\.\.\//, '')

If you want to write a http server, read the http specification and go
from there. Trying to sanitise a url with regexs WILL leave you with
security holes. If you're writing anything for which there's a
specification, read the specification carefully and implement
(preferably test-first) from that. The specification writers are much
smarter than you, and will have thought of many things that you will not
think of until it's too late.

Regexs are GREAT for all sorts of string manipulation tasks, but they're
the wrong tool for parsing even a mildly complex language.  Parse the
input using a proper parser.

That said, as long as you never, ever plan on exposing this thing to the
public internet, have fun learning.
Stuart B. (Guest)
on 2006-06-06 16:54
Thanks everyone for your help

I have another question, Can I use Ruby threads to have more then 1
server process running on the same port

something like

require 'socket'
port = (ARGV[0] || 80).to_i
server = TCPServer.new('localhost', port)
threads = []


10.times do |i|
threads[i] = Thread.new {
while (session = server.accept)
  puts "Request: #{session.gets}"
  session.print "HTTP/1.1 200/OK\r\nContent-type: text/html\r\n\r\n"
  session.print "<html><body><h1>#{Time.now}</h1></body></html>\r\n"
  session.close
}
end


Would this produce 10 processes that could take independent connection?
Stuart B. (Guest)
on 2006-06-06 18:53
Hi all, not to worry, I'll start a new thread with this one as its going
off subject

Many thanks

Stuart
This topic is locked and can not be replied to.