• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: ERXFileUtilities rendering file name's type extension unusable
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ERXFileUtilities rendering file name's type extension unusable


  • Subject: Re: ERXFileUtilities rendering file name's type extension unusable
  • From: Johann Werner <email@hidden>
  • Date: Mon, 24 Jul 2017 11:43:38 +0200

If the two dots are meant to prevent switching to a parent directory you could
change the regex to something like

fileName.replaceAll("(/|^)\\.\\.(/|$)", "$1$2“);

So this would only match two dots if they entirely describe a directory name
and would match e.g.

/var/../etc/foo
/abc/..
../foo

but not if it is included within a name.

jw


> Am 24.07.2017 um 10:44 schrieb Fabian Peters <email@hidden>:
>
> Hi Ralf,
>
>> I think the separator search has to match the platform running the app (and
>> you may better use then a File object), or be much stricter and search
>> always for all separators. For example suppose you are running on a Unix and
>> get the following path:
>>
>> \/etc/passwd
>>
>> Now your file name is /etc/passwd.
>
> True, you certainly cannot use the output of this method to get a "secure"
> filename. I think the intent of this method is just to get the client side
> file name, which is why I'm surprised about the "tiny security check". I'd
> vote for removing it…
>
> cheers, Fabian
>
>> Ralf
>>
>> Am 21. Juli 2017 um 20:30:01, Fabian Peters (email@hidden)
>> schrieb:
>>
>>> Hi all,
>>>
>>> This is a bit of a quiz question. The method pasted below replaces any two
>>> dots ("..") in a file name with a single underscore ("_"). If the user
>>> uploads a file named "Test..doc", it ends up as "Test_doc". Which is less
>>> than ideal because often one wants to get some idea about the file type by
>>> looking at the extension.
>>>
>>> Apparently Mike's (it's his code) intent was security-related. Can anyone
>>> come up with a potential vulnerability beyond the case of a file named
>>> ".."? (Which could theoretically lead to a file being written to the parent
>>> directory of the destination, though I haven't been able to actually do
>>> this.)
>>>
>>> cheers, Fabian
>>>
>>> /**
>>> * Returns the file name portion of a browser submitted path.
>>> *
>>> * @param path the full path from the browser
>>> * @return the file name portion
>>> */
>>> public static String fileNameFromBrowserSubmittedPath(String path) {
>>> String fileName = path;
>>> if (path != null) {
>>> // Windows
>>> int separatorIndex = path.lastIndexOf("\\");
>>> // Unix
>>> if (separatorIndex == -1) {
>>> separatorIndex = path.lastIndexOf("/");
>>> }
>>> // MacOS 9
>>> if (separatorIndex == -1) {
>>> separatorIndex = path.lastIndexOf(":");
>>> }
>>> if (separatorIndex != -1) {
>>> fileName = path.substring(separatorIndex + 1);
>>> }
>>> // ... A tiny security check here ... Just in case.
>>> fileName = fileName.replaceAll("\\.\\.", "_");
>>> }
>>> return fileName;
>>> }
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Webobjects-dev mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>> --
>> Ralf Schuchardt
>> Sent with Airmail


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >ERXFileUtilities rendering file name's type extension unusable (From: Fabian Peters <email@hidden>)
 >Re: ERXFileUtilities rendering file name's type extension unusable (From: Ralf Schuchardt <email@hidden>)
 >Re: ERXFileUtilities rendering file name's type extension unusable (From: Fabian Peters <email@hidden>)

  • Prev by Date: Re: ERXFileUtilities rendering file name's type extension unusable
  • Next by Date: Re: Migrating to google cloud
  • Previous by thread: Re: ERXFileUtilities rendering file name's type extension unusable
  • Next by thread: Active Directory, JNDI, EOModel
  • Index(es):
    • Date
    • Thread