Writing Secure Code is not secure?
2010年6月29日
Consider the following code snippet, that checks the file name extension is in a list of allowed extensions:
using System.Text.RegularExpressions;
…
static bool IsOKExtension(string Filename) {
Regex r =
new Regex(@"txt|rtf|gif|jpg|bmp$",
RegexOptions.IgnoreCase);
return r.Match(Filename).Success;
}
…
static bool IsOKExtension(string Filename) {
Regex r =
new Regex(@"txt|rtf|gif|jpg|bmp$",
RegexOptions.IgnoreCase);
return r.Match(Filename).Success;
}
Is this code correct? I tried:
public static void Main()
{
Console.WriteLine(IsOKExtension("txt")); // true
Console.WriteLine(IsOKExtension("bmp")); // true
Console.WriteLine(IsOKExtension("txtabc")); // true
Console.WriteLine(IsOKExtension("yellowdog")); // false
}
{
Console.WriteLine(IsOKExtension("txt")); // true
Console.WriteLine(IsOKExtension("bmp")); // true
Console.WriteLine(IsOKExtension("txtabc")); // true
Console.WriteLine(IsOKExtension("yellowdog")); // false
}
What a pity… Huh, maybe the code is corrected in a future release of the book, anyway I’m not to say it’s a bad book.