----- Original Message ----- From: "Jim Lerner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 30, 2003 14:24 Subject: Re: Axis attachment naming enhancement (code attached)
> Since Axis is already willing to hand me the file (on the server or the > client) with a name like "/tmp/Axis56789axis", I am able to do with it > what I will. That means that if I wanted to rename it and possibly > execute it, I could. What difference does it make to Axis or system > security if the original filename/extension are preserved? The danger > is no greater. It seems to me that security has to be implemented for > any Axis service that cares about it, but that obfuscating the filename > does not serve that purpose. what if I was malicious and sent you a file with the header set to ../../../etc/passwd You might prepend /tmp/axis/axis123_ to it, but the file system might still resolve the .. elements and stamp on your password file
