0

I am writing a simple Mail Server-Client App which is taking a users input for a receiver, a subject line and a message. To store the message, there is a directory in which a subdirectory is being created for every user that receives a message and in the folder each message is being stored with the message index + subject line. e.g. User Bob receives a message with the subject "Hello World", inside the mailspoooler directory a subdirectory with Bob's name is being created and inside the subdirectory a file called '1. Hello World'. The problem with that is, that a user can now enter a path into the subject line and store the information of his message somewhere else, where it's not intended. Is there a way to ecsape the input if someone were to enter a path? Down below you have the code of the function that creates the files. The vector msg is each line of the user input saved and msg[1] is always the subject line

void send(fs::path mailspooler, char* buffer, std::vector<std::string> msg, fs::path current, std::string user){
   //switching to mailspooler directory//
   try{
      fs::current_path(mailspooler);
   }
   catch(...){
      std::cerr << "An error occured with the filesystem" << std::endl;
      strcat(buffer, "ERR");
   }
   //creates subfolder in directory with name of receiver//
   fs::create_directory(msg.at(0));

   //changing to users directory
   try{
      fs::current_path(mailspooler.string() + "/"  + user);
   }
   catch(...){
      std::cerr << "An error occured with the filesystem" << std::endl;
   }

   int index = std::distance(fs::directory_iterator(fs::current_path()), {});  // checks to see how many files are already in directory

   //create file
   std::ofstream user_msg(std::to_string(index + 1) + ". " + msg.at(1));

   user_msg << "Sender: " << user << std::endl << "Subject: " << msg.at(1) << std::endl << "Message: " << std::endl;
   for(unsigned int i = 2; i<msg.size(); i++)
      user_msg << msg.at(i) << std::endl;           //writing every single line from the message into file
   user_msg.close();

   //changing back to base directory
   try{
      fs::current_path(current);
      strcat(buffer, "OK");
   }
   catch(...){
      std::cerr << "An error has occured with the filesystem" << std::endl;
      strcat(buffer, "ERR");
   }
      
}
Improve this question
3
  • 1
    Well, you can always implement some logic that replaces all slashes and periods with something else. There is no magic button, somewhere in the C++ library, that once pushed will do it for you, somehow. You have to write all the logic to implement this; and the exact details are entirely up to you, and your imagination. Commented Nov 22, 2022 at 15:50
  • The only character that has special meaning in filenames is /. Just replace that with some other character. Commented Nov 22, 2022 at 15:51
  • 4
    A better solution is to NOT use the user input as the filename. Use a database to hold the mapping between input values and filenames. Commented Nov 22, 2022 at 15:52
Related questions
10
How to safely escape a string from C++
0
Printing escape character
6
C++: How to escape user input for safe system calls?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.