Solved

A cross-site and a file canonicalization problems

Posted on 2011-03-04
2
1,777 Views
Last Modified: 2012-05-11
Hi. I'm analyzing my code C# with CAT.NET Code Analysis and getting "Sanitize the file path prior to passing it to file system routines" message for File.Move(Path + "\\...

and a cross-site redirection vulnerability “Do not allow off-site redirections to absolute URLs that can be specified by the user” for  Response.Redirect("file:" + Path + "\\...

Is there any solution to these problem?  Thanks!

protected void Button1_Click(object sender, EventArgs e)
{
 if (FileExt == "aa")
 {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + ListBox1.SelectedValue);
   }
 }
 else if (FileExt == "bb")
 {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
Response.Redirect("file:" + Path + "\\filepath_bb\\" + Status + "\\" + ListBox1.SelectedValue);
   }
 }
}

protected void Button2_Click(object sender, EventArgs e)
{
 if (FileExt == "aa")
 {
  if (Status == "New")
  {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
File.Move(Path + "\\filepath_aa\\New\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\New\\New_Items\\" + ListBox1.SelectedValue);
   }
  }
  else if (Status == "Closed")
  {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
File.Move(Path + "\\filepath_aa\\Closed\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\Closed\\Closed_Items\\" + ListBox1.SelectedValue);
    }
   }…
0
Comment
Question by:avi7
2 Comments
 
LVL 23

Accepted Solution

by:
wdosanjos earned 500 total points
ID: 35041401
I think your ListBox1.SelectedValue variable is causing the problem.

Try validating ListBox1.SelectedValue against the list used to populate it.  This is to garantee that the user did not temper with the values.  Maybe something like this:

Dim validValues As HashSet(Of String)
Dim selectedValue As String

selectedValue = validValues(ListBox1.SelectedValue)

...

Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + selectedValue);

Open in new window


If Path and Status also come from user input they need to be validated also.

I hope this helps.
0
 

Author Closing Comment

by:avi7
ID: 35047053
Thanks!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question