Hello Sebastian,
openOrCreateFolder(String dir) method should be renamed to
logNonExistentFolder or something (I will rename it).
It just extracts same code blocks and reduces copy/paste.
I removed your fix because it leaves too many holes open. Attacker can use
./../../../../../../etc/password or ././../../../../../../etc/password or
another hack. I see no way to catch all possibilities using input
string analysis.
Same time ../openmeetings/upload/image.jpg is a valid path starting with
"..".
The actual fix is:
//Requested file is outside OM webapp folder
if (!f2.getCanonicalPath().startsWith(current_dir)) {
throw new Exception("Invalid file requested");
}
The final path (used to create f2) is checked to be inside "current_dir".
This will filter out all files outside webapps/openmeetings folder.
On Sun, Sep 4, 2011 at 17:00, [email protected]
<[email protected]>wrote:
> Hi Maxim,
>
> you've commited a fix in r=4167.
> You removed my fix actually and added another check. I don't understand the
> logic behidn it, could you explain it?
>
> How do you prevent that anybody is using ../ so that he might access files
> that he should NOT?
> Your fix would actually create that folder inside it? But we don't wan't
> that any folder is created in our webapp dir by just randomizing the params
> parentPath or fileName?
>
> Sebastian
>
> --
> Sebastian Wagner
> http://www.webbase-design.de
> http://openmeetings.googlecode.com
> http://www.wagner-sebastian.com
> [email protected]
>
--
WBR
Maxim aka solomax
--
You received this message because you are subscribed to the Google Groups
"OpenMeetings developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/openmeetings-dev?hl=en.
