Re: ERXFileUtilities rendering file name's type extension unusable
Re: ERXFileUtilities rendering file name's type extension unusable
- Subject: Re: ERXFileUtilities rendering file name's type extension unusable
- From: Fabian Peters <email@hidden>
- Date: Mon, 24 Jul 2017 10:44:51 +0200
Hi Ralf,
> I think the separator search has to match the platform running the app (and
> you may better use then a File object), or be much stricter and search always
> for all separators. For example suppose you are running on a Unix and get the
> following path:
>
> \/etc/passwd
>
> Now your file name is /etc/passwd.
True, you certainly cannot use the output of this method to get a "secure"
filename. I think the intent of this method is just to get the client side file
name, which is why I'm surprised about the "tiny security check". I'd vote for
removing it…
cheers, Fabian
> Ralf
>
> Am 21. Juli 2017 um 20:30:01, Fabian Peters (email@hidden) schrieb:
>
>> Hi all,
>>
>> This is a bit of a quiz question. The method pasted below replaces any two
>> dots ("..") in a file name with a single underscore ("_"). If the user
>> uploads a file named "Test..doc", it ends up as "Test_doc". Which is less
>> than ideal because often one wants to get some idea about the file type by
>> looking at the extension.
>>
>> Apparently Mike's (it's his code) intent was security-related. Can anyone
>> come up with a potential vulnerability beyond the case of a file named ".."?
>> (Which could theoretically lead to a file being written to the parent
>> directory of the destination, though I haven't been able to actually do
>> this.)
>>
>> cheers, Fabian
>>
>> /**
>> * Returns the file name portion of a browser submitted path.
>> *
>> * @param path the full path from the browser
>> * @return the file name portion
>> */
>> public static String fileNameFromBrowserSubmittedPath(String path) {
>> String fileName = path;
>> if (path != null) {
>> // Windows
>> int separatorIndex = path.lastIndexOf("\\");
>> // Unix
>> if (separatorIndex == -1) {
>> separatorIndex = path.lastIndexOf("/");
>> }
>> // MacOS 9
>> if (separatorIndex == -1) {
>> separatorIndex = path.lastIndexOf(":");
>> }
>> if (separatorIndex != -1) {
>> fileName = path.substring(separatorIndex + 1);
>> }
>> // ... A tiny security check here ... Just in case.
>> fileName = fileName.replaceAll("\\.\\.", "_");
>> }
>> return fileName;
>> }
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
> --
> Ralf Schuchardt
> Sent with Airmail
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden