tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <verlag.preis...@t-online.de>
Subject RE: Servlet 3.0 File Upload
Date Sat, 03 Sep 2011 17:40:00 GMT
Hi,

> -----Original Message-----
> From: cjderham@gmail.com [mailto:cjderham@gmail.com] On Behalf Of chris
> derham
> Sent: Saturday, September 03, 2011 6:51 PM
> To: Tomcat Users List
> Subject: Re: Servlet 3.0 File Upload
> 
> 
> Letting the remote user control the name of the file that is written to
> disk
> exposes a potential security risk. Due to bad configuration, the posted
> name
> may allow the caller to save arbitrary files anywhere they wish. The
> server
> should generate the name that is used to save the file to remove this
> risk
> 
> Chris

Yes, the user could supply a name like "../../badfile.exe" (even in the "Content-Disposition"
header) to inject a file anywhere in the file system. Of course, one shouldn't use the supplied
filename to save the file on the server. I usually make a DB entry with the supplied filename
stored in a text field, and use the ID of the entry to generate a filename where the actual
file contents are stored. The supplied filename is then only for displaying purposes.


Regards,

Konstantin Preißer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message