tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <>
Subject RE: Servlet 3.0 File Upload
Date Sat, 03 Sep 2011 17:40:00 GMT

> -----Original Message-----
> From: [] On Behalf Of chris
> derham
> Sent: Saturday, September 03, 2011 6:51 PM
> To: Tomcat Users List
> Subject: Re: Servlet 3.0 File Upload
> Letting the remote user control the name of the file that is written to
> disk
> exposes a potential security risk. Due to bad configuration, the posted
> name
> may allow the caller to save arbitrary files anywhere they wish. The
> server
> should generate the name that is used to save the file to remove this
> risk
> Chris

Yes, the user could supply a name like "../../badfile.exe" (even in the "Content-Disposition"
header) to inject a file anywhere in the file system. Of course, one shouldn't use the supplied
filename to save the file on the server. I usually make a DB entry with the supplied filename
stored in a text field, and use the ID of the entry to generate a filename where the actual
file contents are stored. The supplied filename is then only for displaying purposes.


Konstantin Preißer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message