On 03/03/2013 20:00, Florian Weimer wrote:
You check that the file ends with ".jpg", so it won't be interpreted
by the web server, but the full extension is actually ".php\000.jpg",
so you end up writing a ".php" file, which is.
The application have have the path String ".php\000.jpg" but when you
create the file (with FileOutputStream or other APIs) then it would be
".php.jpg". Another potential approach is to just fail when attempting
to create the file but changing File's constructor to throw an exception
would be an incompatible change.
-Alan
