On 03/03/2013 10:01 PM, Alan Bateman wrote:
On 03/03/2013 20:00, Florian Weimer wrote:
You check that the file ends with ".jpg", so it won't be interpreted
by the web server, but the full extension is actually ".php\000.jpg",
so you end up writing a ".php" file, which is.
The application have have the path String ".php\000.jpg" but when you
create the file (with FileOutputStream or other APIs) then it would be
".php.jpg".
Yes, that's the behavior with dropping, and it does help in this case.
(I was arguing against truncation.) But dropping is unsafe, too, as I
described in the second paragraph of my message.
> Another potential approach is to just fail when attempting
to create the file
I think this is what's required. It's what Python has been doing for
some time.
> but changing File's constructor to throw an exception
would be an incompatible change.
I completely agree. I think I've written code myself which relies on
the File(String) constructor not looking at the contents of the string. 8-/
--
Florian Weimer / Red Hat Product Security Team
