Bug 19603 - Path.GetFullPath returns the full path for URI
Summary: Path.GetFullPath returns the full path for URI
Status: RESOLVED INVALID
Alias: None
Product: Class Libraries
Classification: Mono
Component: mscorlib ()
Version: unspecified
Hardware: PC All
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2014-05-07 17:29 UTC by Masato Kunita
Modified: 2014-05-23 10:19 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED INVALID

Description Masato Kunita 2014-05-07 17:29:52 UTC
When the URI (e.g. "http://test.com") is passed to Path.GetFullPath, there is a different behavior between Mono and .NET Framework.

In Mono, Path.GetFullPath returns the full path, such as "/home/user/http://test.com".
In .NET, it raises ArgumentException with a message "URI formats are not supported".

If an invalid URI is passed to WebClient.DownloadString(string), it attempt to download the local resource. This also happens for any methods which calls CreateUri(string) internally, such as DownloadFile(string), OpenRead, etc.
I think this behavior can be make an security issue.

reproduce:
var wc = new System.Net.WebClient();
Console.WriteLine(wc.DownloadString("http://../../../etc/passwd"));

If you run the code above in "/home/user/", the program will show the content of your "/etc/passwd" file; if not, DownloadString will raise an exception that means the file was not found.

In .NET Framework,
Comment 1 Masato Kunita 2014-05-07 17:41:38 UTC
I submitted incomplete report. Sorry for my mistake. Here is the complete report:

When the URI (e.g. "http://test.com") is passed to Path.GetFullPath, there is a
different behavior between Mono and .NET Framework.

Console.WriteLine(System.IO.Path.GetFullPath("http://test.com"));

will shows:
* In Mono, /home/user/http://test.com (this result will differ. It depends on the working directory)
* In .NET, it raises ArgumentException with a message "URI formats are not
supported".

This can be make an security issue described below:

If an invalid URI is passed to WebClient.DownloadString(string), it attempt to
download the local resource. This also happens for any methods which calls
CreateUri(string) internally, such as DownloadFile(string), OpenRead, etc.
This happens because CreateUri(string) uses Path.GetFullPath, and it returns the full path for the invalid URI.

reproduce:
var wc = new System.Net.WebClient();
Console.WriteLine(wc.DownloadString("http://../../../etc/passwd"));

If you run the code above in "/home/user/", the program will show the content
of your "/etc/passwd" file; if not, DownloadString will raise an exception that
means the file was not found.
Comment 2 Miguel de Icaza [MSFT] 2014-05-23 10:19:30 UTC
That is because "http://test.com" is a valid filename in Unix.

This is really a problem with .NET that was designed with little thinking about Unix.  So you need to cope with that in your code.