Ayende @ Rahien

It's a girl

A web server in 30 lines of code

Just found myself writing that, and it was amusing.

import System.Net
import System.IO

if argv.Length != 2:
	print "You must pass [prefix] [path] as parameters"
	return

prefix = argv[0]
path = argv[1]

if not Directory.Exists(path):
	print "Could not find ${path}"
	return

listener = HttpListener()
listener.Prefixes.Add(prefix)
listener.Start()

while true:
	context = listener.GetContext()
	file = Path.GetFileName(context.Request.RawUrl)
	fullPath = Path.Combine(path, file)
	if File.Exists(fullPath):
		context.Response.AddHeader("Content-Disposition","attachment; filename=${file}")
		bytes = File.ReadAllBytes(fullPath)
		context.Response.OutputStream.Write(bytes, 0, bytes.Length)
		context.Response.OutputStream.Flush()
		context.Response.Close()
	else:
		context.Response.StatusCode = 404
		context.Response.Close()

Comments

Tuna Toksoz
03/30/2008 08:31 PM by
Tuna Toksoz

the altdotnet style :)

Thomas Krause
03/31/2008 04:31 PM by
Thomas Krause

But, what happens if you pass something like:

http://localhost/prefix/../../../Windows/System32/Secret.File

Sorry, couldn't resist ;-)

Ayende Rahien
03/31/2008 04:35 PM by
Ayende Rahien

Well, did you note

Path.GetFileName(context.Request.RawUrl)

??

That will stop those attacks

Thomas Krause
03/31/2008 08:20 PM by
Thomas Krause

Oh, you're right. I missed that somehow. I read something like:

fullPath = Path.Combine(path, context.Request.RawUrl)

Nevermind...

Comments have been closed on this topic.