henrikplate commented on PR #1180: URL: https://github.com/apache/struts/pull/1180#issuecomment-2575775526
@lukaszlenart I copied the latest `ActionFileUploadInterceptor` from the 6-7-x branch (as well as the version from tag STRUTS_6_4_0) into the 2-3-x branch, but compilation fails due to missing symbols like `UploadedFile`, `UploadedFilesAware` or `AbstractFileUploadInterceptor` as well as differences in regard to logging. This makes me think that to much refactoring happened between those releases to make down-port of `ActionFileUploadInterceptor` feasible. In other words, the local fix proposed in this PR still seems an easier option to me. Ideally, users should be able to use this as a drop-in replacement for the vulnerable version 2.3.37, without any need for changing their application or updating other dependencies. Again, I know that updating to a supported version of Struts is the recommended long-term solution, but this local fix could be a short-term remedy. Of course, this only works if the proposed fix both - eliminates the possibility for attackers to override the file name by fiddling with the parameters’ sort order, e.g. using lower case or OGNL expressions (there may be other ways than the `top.` prefix and index access via `[0]` mentioned above and in blog posts), and - it is not too restrictive to break any existing, legitimate scenarios (which is why I limited the check to the `<name>ContentType` and `<name>FileName` parameters). It would love to hear your assessment of those two aspects, thank you in advance. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
