外部输入的参数不能直接作为文件路径,防止被恶意攻击,比如构造一个跨目录限制的文件路径../../../etc/passwd或../../boot.ini,或构造一个指向系统关键文件的链接文件symlink("/etc/shadow","tmp/log")。PS "./"表示当前目录,可以不写,"../"表示当前目录的上一级目录,即当前目录的父目录。windows可以用PathCanonicalize检查文件目录是否标准。
Simplifies a path by removing navigation elements such as "." and ".." to produce a direct, well-formed path.
Note Misuse of this function can lead to a buffer overrun. We recommend the use of the safer PathCchCanonicalize or PathCchCanonicalizeEx function in its place.
C++复制
BOOL PathCanonicalizeA(
LPSTR pszBuf,
LPCSTR pszPath
);
pszBuf
Type: LPTSTR
A pointer to a string that receives the canonicalized path. You must set the size of this buffer to MAX_PATH to ensure that it is large enough to hold the returned string.
pszPath
Type: LPCTSTR
A pointer to a null-terminated string of maximum length MAX_PATH that contains the path to be canonicalized.
Type: BOOL
Returns TRUE if a result has been computed and the content of the lpszDst output buffer is valid. Returns FALSE otherwise, and the contents of the buffer pointed to by lpszDst are invalid. To get extended error information, call GetLastError.
This function allows the user to specify what to remove from a path by inserting special character sequences into the path. The ".." sequence indicates to remove a path segment from the current position to the previous path segment. The "." sequence indicates to skip over the next path segment to the following path segment. The root segment of the path cannot be removed.
If there are more ".." sequences than there are path segments, the function returns TRUE and contents of the buffer pointed to by lpszDst contains just the root, "".
| Minimum supported client | Windows 2000 Professional, Windows XP [desktop apps only] |
| Minimum supported server | Windows 2000 Server [desktop apps only] |
| Target Platform | Windows |
| Header | shlwapi.h |
| Library | Shlwapi.lib |
| DLL | Shlwapi.dll (version 4.71 or later) |
eg:
// Pathcanonicalize.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "Shlwapi.h"
#include "Pathcanonicalize.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/
// The one and only application object
CWinApp theApp;
using namespace std;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
else
{
// TODO: code your application's behavior here.
char caPath[256];
CString csFullPath;
CString csPath;
CString csStandarPath;
memset(caPath,0,sizeof(caPath));
GetModuleFileName(NULL,caPath,256);
csFullPath.Format("%s",caPath);
cout << "csFullPath: " << (LPCTSTR)csFullPath << endl;
int iResult = PathCanonicalize(caPath,csFullPath);
csStandarPath.Format("%s",caPath);
cout << "csStandarPath: " << (LPCTSTR)csStandarPath << endl;
cout << iResult << endl;
CString csStandarPath1;
char buffer[] = "F:\\VC6.0...\\练习.\\CJS\\..";
char *lpStr;
lpStr = buffer;
iResult = PathCanonicalize(caPath,lpStr);
csStandarPath1.Format("%s",caPath);
cout << "csStandarPath1: " << (LPCTSTR)csStandarPath1 << endl;
cout << iResult << endl;
}
return nRetCode;
}
