commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Bodewig (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (IO-559) FilenameUtils.normalize should verify hostname syntax in UNC path
Date Wed, 16 May 2018 06:16:00 GMT

    [ https://issues.apache.org/jira/browse/IO-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16476898#comment-16476898
] 

Stefan Bodewig commented on IO-559:
-----------------------------------

I don't know why Black Duck considers this a vulnerability, I can only guess it is because
of IO-556 which is strongly related to this issue here.

Back when we discussed IO-556 the POV of the Commons community was that people who create
files based in file names provided by untrusted sources are responsible for validating the
file they create end up in the location they intend. I.e. they must expect {{normalizePath}}
to return absolute path or UNC path and need to check the generated path of the file they
are going to write themselves.

That being said I'll push for peer review of my pull request (this is my first contribution
to the IO component) and hope we can get a new release on the way.

> FilenameUtils.normalize should verify hostname syntax in UNC path
> -----------------------------------------------------------------
>
>                 Key: IO-559
>                 URL: https://issues.apache.org/jira/browse/IO-559
>             Project: Commons IO
>          Issue Type: Bug
>          Components: Utilities
>    Affects Versions: 2.6
>            Reporter: Stefan Bodewig
>            Priority: Major
>
> {{FilenameUtils.normalize}} will accept broken file names as UNC path even if their hostname
part doesn't match the syntax of a proper hostname. Using certain hostnames like "." this
may lead to strange side effects.
> Most likely the best fix will be to make {{getPrefixLength}} verify the hostname part
of a suspected UNC path and return a value of {{NOT_FOUND}} if it is not a valid hostname
- much like it does for triple slashes.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message