Join GitHub today
Task terminated with unhandled exception: Invalid path entry #1630
Task terminated with unhandled exception: Invalid path entry: H:\Own files\Eigene Dokumente\Travel\160704_Ihla.docx
We get these sometimes. It seems like some browser or someone malicious is passing some oddly formatted string as the file name, which vibe fails to parse. This is an assert in the PathEntry ctor.
Unfortunately, I have no idea what the full path passed is nor do I have a callstack, but I assume it's being called from splitPath()
I think sanitation should happen before hand, and errors should be gracefully dealt with in this case. I could then handle bad paths on my application code, but as it is, I have no chance of doing so.
@s-ludwig any chance of a quick fix? anything will work, but killing the event loop with an assert makes this an easy DoS channel
I'll have a look at this. It's probably okay (necessary anyway) to relax the rules a bit. The new
However, in this case the right thing to do would be to parse this as a Windows path, whereas it will currently be parsed as a system native path. So to maybe find a higher level solution, do you know where the path originates from? A form upload? vibe-core defines and uses a new
In addition to converting the assertion to an exception, the form upload code could then also attempt to sanitize the file name, of course.
added a commit
Mar 23, 2017
Hello, hopefully this helps: I just observed this on one of my vibe.d-based servers:
This seems to be related to an Apache Struts2 exploit: rapid7/metasploit-framework#8064