[Gnump3d-devel] Better security for subdirectories

[Ross Palmer Mohn]

Hi,
I posted this on the old forums, but it doesn't seem to have been
incorporated into 2.7. Probably I gave a diff from a much older version
of gnump3d2. Anyway, here's a contextual diff from the 2.7 released
code.

Problem: In the current code, if someone points their web browser
directly at a subdirectory rather than the root they can bypass the
.password security and browse those files.

Solution: You could solve this by putting a .password file in every
subdirectory, but that would become quite difficult to manage. Instead,
adding these 5 lines of code will force the password checker to climb
the tree all the way up to the root looking for a .password file to use.
You can do things like have different passwords for different branches
of your directory tree, etc. Still doesn't stop someone from bypassing
security by typing in the exact address of a song, but it does stop them
from browsing.

# diff --context gnump3d2 gnump3d2.001
*** gnump3d2            Thu Mar 25 13:49:02 2004
--- gnump3d2.001        Thu Apr  1 20:41:18 2004
***************
*** 2761,2766 ****
--- 2761,2768 ----
   
      $directory = $ROOT . "/" . $directory;
   
+   while ( $directory ne $ROOT )
+   {
      $DEBUG && print "Testing for directory: $directory\n";
   
      if ( -e  $directory . "/.password" )
***************
*** 2840,2850 ****
--- 2842,2855 ----
            close( $data );
   
        }
+       return;
      }
      else
      {
        $DEBUG && print "No password file found.\n";
+       $directory =~ s/\/[^\/]*$//;
      }
+   }
   
      # Redundent
      return;

Cheers! -RPM
--
Ross Palmer Mohn
address@hidden