I agree with Greg.
IMHO, character validation should be left to the developer which depends
on their OS and file names supported therein. But if there needs to be
protection against a buffer overflow attack (I assume that is the
problem you are trying to solve?), then the length restriction should
suffice. Or is there another risk I'm not aware of that could threaten
a system by just having a few malicious characters in a file name?
Thanks,
Burton
------ Original Message ------
From "Greg Huber" <gregh3...@gmail.com>
To dev@struts.apache.org
Date 2/11/2025 2:51:36 AM
Subject Re: file upload name filtering
Filename length is a possible good way to go, with an override of the length
and then truncate or block option.
On 11/02/2025 06:21, Lukasz Lenart wrote:
Hm... looks like I must re-think this approach, thanks all for
reporting this issue!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
