On Sun, 2003-08-31 at 10:56, Greg Ford wrote:
> > There's a magic number to tell SWISH-E the index is the wrong version.
> How do I retrieve that number from the library?
I don't think you can. But, it should be possible to add a function to
lookup the magic numbers. (Seek to position 0 in the index file and
read a long.) Not sure if you'd need to. If the magic numbers don't
match SWISH-E will error with:
File "filename" has an unknown format.
> 2) writing a function to check the filename for potential hacks ( leading
> backslashes, drive specifications or ..\..\.. stuff - probably we should just reject any
> string containing slashes, colons or backslashes ?
Rather than check filenames within the string I'd check the entire
string. And rather than check for bad characters I'd just check that
the entire string only contains 0-9, A-Z, a-z, ' ' and a single '.'
(valid: "help.idx docs test.idx test2.idx" invalid: "help..idx
looney-bin.idx docs-'n-more") We'd just document the filename
restrictions and leave it at that.
I wouldn't want to try to guess all the ways someone could play games
with filenames on Windows. And that still leaves open access to special
device files since, by all lack of reason, devices are magical hidden
files in all directories. I think we could feasibly block access to
them by reading the list of special files (at least on NT?) from
somewhere in the registry. But, that's possibly overkill.
ICQ - 412039
Received on Sun Aug 31 19:53:45 2003