Casaba Security » CSIDL http://www.casaba.com/blog Building and breaking software and robots Wed, 11 Jan 2012 18:08:45 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 CSIDL – Shell constants, enumerations, and flags http://www.casaba.com/blog/2006/12/csidl-shell-constants-enumerations-and-flags/ http://www.casaba.com/blog/2006/12/csidl-shell-constants-enumerations-and-flags/#comments Tue, 26 Dec 2006 08:00:00 +0000 Chris Weber I worked on an application which had a couple of requirements:

  1. Allow users access to their local drive content within a defined scope (e.g. either the entire drive, or the My Documents folder only)
  2. Prevent users from accessing files outside of the defined scope. So they shouldn’t be able to access network drives, USB keys, etc.

To acheive this, the shell constants were used, as defined in the Windows SDK.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/shell/reference/enums/csidl.asp

This worked well, and after we looked at the code we actually ran a battery of tests to confirm. So for example we tried the following types of canonicalizations:

  • \\host\share\file
  • \\?\folder\file
  • \\10.10.10.10\share\file
  • \\.\folder\file

We kept going, and tried breaking out of the local scope as well:

  • ..\..\..\..\boot.ini
  • ../../../../boot.ini
  • ..%2fboot.ini

And all that sort of stuff. Using the CSIDL constants proved successful, and we could see this through debugging. Everything we entered was merely relative to the constant value, there was no way to change it.

]]> http://www.casaba.com/blog/2006/12/csidl-shell-constants-enumerations-and-flags/feed/ 0