• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: ERXFileUtilities rendering file name's type extension unusable
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ERXFileUtilities rendering file name's type extension unusable

  • Subject: Re: ERXFileUtilities rendering file name's type extension unusable
  • From: Ralf Schuchardt <email@hidden>
  • Date: Sun, 23 Jul 2017 11:12:45 +0200
Hi,

I think the separator search has to match the platform running the app (and you
may better use then a File object), or be much stricter and search always for
all separators. For example suppose you are running on a Unix and get the
following path:

 \/etc/passwd

Now your file name is /etc/passwd.

Ralf

Am 21. Juli 2017 um 20:30:01, Fabian Peters (email@hidden) schrieb:

Hi all,

This is a bit of a quiz question. The method pasted below replaces any two dots
("..") in a file name with a single underscore ("_"). If the user uploads a
file named "Test..doc", it ends up as "Test_doc". Which is less than ideal
because often one wants to get some idea about the file type by looking at the
extension.

Apparently Mike's (it's his code) intent was security-related. Can anyone come
up with a potential vulnerability beyond the case of a file named ".."? (Which
could theoretically lead to a file being written to the parent directory of the
destination, though I haven't been able to actually do this.)

cheers, Fabian

/**
* Returns the file name portion of a browser submitted path.
*
* @param path the full path from the browser
* @return the file name portion
*/
public static String fileNameFromBrowserSubmittedPath(String path) {
String fileName = path;
if (path != null) {
// Windows
int separatorIndex = path.lastIndexOf("\\");
// Unix
if (separatorIndex == -1) {
separatorIndex = path.lastIndexOf("/");
}
// MacOS 9
if (separatorIndex == -1) {
separatorIndex = path.lastIndexOf(":");
}
if (separatorIndex != -1) {
fileName = path.substring(separatorIndex + 1);
}
// ... A tiny security check here ... Just in case.
fileName = fileName.replaceAll("\\.\\.", "_");
}
return fileName;
}

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
-- 
Ralf Schuchardt
Sent with Airmail
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: ERXFileUtilities rendering file name's type extension unusable
      • From: Fabian Peters <email@hidden>
References: 
 >ERXFileUtilities rendering file name's type extension unusable (From: Fabian Peters <email@hidden>)

  • Prev by Date: Re: Migrating to google cloud
  • Next by Date: Re: Migrating to google cloud
  • Previous by thread: ERXFileUtilities rendering file name's type extension unusable
  • Next by thread: Re: ERXFileUtilities rendering file name's type extension unusable
  • Index(es):
    • Date
    • Thread