Javier Albinarrate wrote: > What do you think? $.02: I think this is increasingly becoming the wrong approach. The interface allows for files to be placed in any [sub]directory of the admins choosing. For instance, take a look at my [preferred] directory structure off the ASSP base:
---------- bak bin blackholes clamav corpus databases images lists maillog notes pb rc reports ---------- My RE list-files are in the "lists" directory. My maillog is in the "maillog" directory, etc ,etc. This current line of thought for how to secure the issue could cause problems for anyone that is using subdirectories in the "file:" specifications. i.e.: file:lists/noProcessing.txt +$.02: I think we should enforce specific file types, the directory structure must be within the $base, and no reverse traversals (i.e. /../) allowed. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
