tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chris derham <ch...@derham.me.uk>
Subject Re: Servlet 3.0 File Upload
Date Sat, 03 Sep 2011 16:50:30 GMT
> > You need to add a line in in your form:
> > <input type="text" name="filename" />
> >
> > Then in your servlet GetPost() method you put this filename in a
> > variable:
> > String filename;
> > filename = req.getParameter("filename");
> >
> > Then instead of part.write("samplefile");
> > do:
> > part.write(filename);
>

Letting the remote user control the name of the file that is written to disk
exposes a potential security risk. Due to bad configuration, the posted name
may allow the caller to save arbitrary files anywhere they wish. The server
should generate the name that is used to save the file to remove this risk

Chris

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message