struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <D...@Newfield.org>
Subject Re: [S2] Parameterized File Downloading
Date Wed, 01 Aug 2007 04:25:06 GMT
Grish wrote:
> Hmmm good point. So does this mean that the only secure way of having
> downloads is to have specific actions for each download? Or is there a
> better approach?

I don't claim to know what the best approach is.  As long as your action 
does sufficient validation of the specified input path (like checking 
against a whitelist, or only allowing from certain directories (check 
for ".." path segments!)), your approach may be OK.  I tend to have a 
separate action for each "category" of stuff downloaded from my app 
(along with category-specific validation).  Since I don't know your 
requirements, I cannot know that that is applicable for you.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message