Hi,
> -----Original Message-----
> From: cjderham@gmail.com [mailto:cjderham@gmail.com] On Behalf Of chris
> derham
> Sent: Saturday, September 03, 2011 6:51 PM
> To: Tomcat Users List
> Subject: Re: Servlet 3.0 File Upload
>
>
> Letting the remote user control the name of the file that is written to
> disk
> exposes a potential security risk. Due to bad configuration, the posted
> name
> may allow the caller to save arbitrary files anywhere they wish. The
> server
> should generate the name that is used to save the file to remove this
> risk
>
> Chris
Yes, the user could supply a name like "../../badfile.exe" (even in the "Content-Disposition"
header) to inject a file anywhere in the file system. Of course, one shouldn't use the supplied
filename to save the file on the server. I usually make a DB entry with the supplied filename
stored in a text field, and use the ID of the entry to generate a filename where the actual
file contents are stored. The supplied filename is then only for displaying purposes.
Regards,
Konstantin Preißer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|