NetTalk Central

« previous next »
Pages: [1]

Author Topic: Server refuses to deliver Exe, Com and Pif files  (Read 14570 times)

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11183
    • View Profile
Server refuses to deliver Exe, Com and Pif files
« on: September 04, 2007, 07:03:38 AM »
There are many techniques that malicious programs use to try and get your web server to do something it's not supposed to do. NetTalk on the other hand employs several techniques to try and prevent both known, and unknown attacks.

One of these techniques is the ValidateFileName method which is part of the WebHandler class (NetWebServerWorker). Inside this method is code that expressly prevents the server from serving (or indeed running) Exe, Com and Pif files.

This can result in 2 problems however.

Firstly, if you change the name of your web folder to something including these extensions, then all files in that folder will be suppressed. For example, if you named your folder
www.capesoft.com
then the ".com part will trigger this method and any files in that folder will be suppressed.

Secondly you may want to serve EXE files directly from your site. (Be aware that some users will be unable to download EXE files directly because of restrictions on their end). If the file has a .EXE extension (or indeed even just .EXE in the name) then the file will not be served.

An obvious solution to the first problem is simply to rename your folder. However a more generic solution to both problems is to modify the behavior in the ValidateFileName method.

You can do this by going to your WebHandler procedure, right click on the procedure name, and choose "Source". Then do a search for ValidateFileName.

The code currently inside that method (inside the class) looks like this;
  if clip(p_FileName) = ''
    return (-1) ! blank file name
  elsif instring('..', p_FileName, 1, 1)
    return (-2)  ! prevents hacking
  elsif instring('.exe', lower(p_FileName), 1, 1) ! may possibly mean .exe files can not be served? probably a good thing.
    return (-2)  ! prevents hacking
  elsif instring('.com', lower(p_FileName), 1, 1)
    return (-2)  ! prevents hacking
  elsif instring('.pif', lower(p_FileName), 1, 1)
    return (-2)  ! prevents hacking
  end
  return (0)

Using this code as a starting point, write your own code in the WebHandler, before the call to Parent.ValidateFileName.  If you do a RETURN before the parent call, then the code in the main class will not run at all.

By editing the code above you can tweak this security behavior to suit your needs.

Cheers
Bruce
Logged
Pages: [1]
« previous next »