Forum: Ruby New webserver

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
9f8ef676e9b0095de0c2ec36a0481a30?d=identicon&s=25 Stuart Brand (stuartbrand)
on 2006-06-05 14:52
Im designing a webserver as my first project on Ruby

I need help with this line

fileLine.sub(/\.\.\//, '')

this is to remove any "../" that occur due to users trying to brake in,
or by accident ;)

However, this only removes the first instance of the ../ how do I remove
every instance?

Many thanks

Stuart
78d45b303250a077fc65fd61e00277ed?d=identicon&s=25 Jon Lim (Guest)
on 2006-06-05 14:58
(Received via mailing list)
gsub
Cf985658ff32a83d07cdfaa22c294fe4?d=identicon&s=25 Edgardo Hames (Guest)
on 2006-06-05 15:02
(Received via mailing list)
On 6/5/06, Stuart Brand <stuart@server-solution.co.uk> wrote:
> However, this only removes the first instance of the ../ how do I remove
> every instance?


I think you're looking for gsub.

Cheers,
Ed
--
Encontrá a "Tu psicópata favorito" http://tuxmaniac.blogspot.com

Thou shalt study thy libraries and strive not to reinvent them without
cause,
that thy code may be short and readable and thy days pleasant and
productive.
-- Seventh commandment for C programmers
F0aaa796f43b5c4bc21db2051ecb4bfa?d=identicon&s=25 Mariano Kamp (Guest)
on 2006-06-05 15:20
(Received via mailing list)
Hi Stuart,

   not sure if it is a good idea to handle security on this level, but
you can try gsub instead of sub to replace all occurrences.

Cheers,
Mariano
9f8ef676e9b0095de0c2ec36a0481a30?d=identicon&s=25 Stuart Brand (stuartbrand)
on 2006-06-05 16:45
Thanks all, this worked fine

def self.path(path)
fileLine = path[1].strip
fileLine = fileLine.gsub(/\.\//, '')
fileLine = fileLine.gsub(/\/\./, '')
fileLine = fileLine.gsub(/\\/, '')
fileLine = fileLine.gsub(/\.{2,}/, '')
fileLine = fileLine.gsub(/\/{2,}/, '')
fileLine = "/srv/www/htdocs/" + fileLine
return fileLine
end

Is there a way of making it look prettier?

I'm trying to stop people using the address bar to access parts of the
system the should not

Many thanks all

Stuart
Fc784eadb3b54531fdc3d2053db6f83f?d=identicon&s=25 Mat Schaffer (Guest)
on 2006-06-05 17:00
(Received via mailing list)
On Jun 5, 2006, at 10:45 AM, Stuart Brand wrote:

> return fileLine
> end
>
> Is there a way of making it look prettier?
>
> I'm trying to stop people using the address bar to access parts of the
> system the should not
>
> Many thanks all
>
> Stuart

def self.path(path)
   [/\.\//, /\/\./, /\\/, /\.{2,}/, /\/{2,}/].each do |exp|
     fileLine.gsub!(exp, '')
   end
   "/srv/www/htdocs/" + fileLine
end
4299e35bacef054df40583da2d51edea?d=identicon&s=25 James Gray (bbazzarrakk)
on 2006-06-05 17:00
(Received via mailing list)
On Jun 5, 2006, at 9:45 AM, Stuart Brand wrote:

> return fileLine
> end
>
> Is there a way of making it look prettier?

Perhaps:

def self.path(path)
   path.first.strip.
        gusb(...).
        gsub(...).
        ...
end

Again, Ruby naming conventions are file_line, not fileLine.  Have to
start adopting typical Ruby style so you can get Rubyists interested
in your web server.

James Edward Gray II
F0aaa796f43b5c4bc21db2051ecb4bfa?d=identicon&s=25 Mariano Kamp (Guest)
on 2006-06-05 17:04
(Received via mailing list)
Stuart Brand wrote:
>
> Is there a way of making it look prettier?
>
> I'm trying to stop people using the address bar to access parts of the
> system the should not
Stuart,

   why do you try to solve this problem on the string level?

   Wouldn't it make more sense to rely on the OS authorization scheme?
On Unix you can set permissions on files and directories. You can also
start a server using chroot so that nobody can break out (i.e. go up) of
the designated directory/sandbox.

   If you go for the string way, you might need to check if different
encodings of URIs can bust you regexps.

Cheers,
Mariano
Ad7805c9fcc1f13efc6ed11251a6c4d2?d=identicon&s=25 Alex Young (regularfry)
on 2006-06-05 17:25
(Received via mailing list)
Stuart Brand wrote:
> return fileLine
> end
>
> Is there a way of making it look prettier?
>
> I'm trying to stop people using the address bar to access parts of the
> system the should not

In addition to what others have said, have a look at File.expand_path.
1c1e3bdfe006a22214102fcd6434a012?d=identicon&s=25 Daniel Sheppard (Guest)
on 2006-06-06 01:59
(Received via mailing list)
> -----Original Message-----
> From: list-bounce@example.com
> [mailto:list-bounce@example.com] On Behalf Of Stuart Brand
> Subject: New webserver
>
> Im designing a webserver as my first project on Ruby
>
> I need help with this line
>
> fileLine.sub(/\.\.\//, '')

If you want to write a http server, read the http specification and go
from there. Trying to sanitise a url with regexs WILL leave you with
security holes. If you're writing anything for which there's a
specification, read the specification carefully and implement
(preferably test-first) from that. The specification writers are much
smarter than you, and will have thought of many things that you will not
think of until it's too late.

Regexs are GREAT for all sorts of string manipulation tasks, but they're
the wrong tool for parsing even a mildly complex language.  Parse the
input using a proper parser.

That said, as long as you never, ever plan on exposing this thing to the
public internet, have fun learning.
9f8ef676e9b0095de0c2ec36a0481a30?d=identicon&s=25 Stuart Brand (stuartbrand)
on 2006-06-06 14:54
Thanks everyone for your help

I have another question, Can I use Ruby threads to have more then 1
server process running on the same port

something like

require 'socket'
port = (ARGV[0] || 80).to_i
server = TCPServer.new('localhost', port)
threads = []


10.times do |i|
threads[i] = Thread.new {
while (session = server.accept)
  puts "Request: #{session.gets}"
  session.print "HTTP/1.1 200/OK\r\nContent-type: text/html\r\n\r\n"
  session.print "<html><body><h1>#{Time.now}</h1></body></html>\r\n"
  session.close
}
end


Would this produce 10 processes that could take independent connection?
9f8ef676e9b0095de0c2ec36a0481a30?d=identicon&s=25 Stuart Brand (stuartbrand)
on 2006-06-06 16:53
Hi all, not to worry, I'll start a new thread with this one as its going
off subject

Many thanks

Stuart
This topic is locked and can not be replied to.