> >> uses the
> > > > > > >> file name, unsanitized, and potentially other malicious type
> > > > > > >> injection via
> > > > > > >> specially crafted file names.
> > > > > > >>
> > > > > >>> On Wed, Feb 12, 2025, 10:05 AM Burton
> > > > > >>> Rhodes wrote:
> > > > > >>>
> > > > > >>> I agree with Greg.
> > > > > >>>
> > > > > >>> IMHO, characte
th Greg.
> > > > >>>
> > > > >>> IMHO, character validation should be left to the developer which
> > > > >>> depends
> > > > >>> on their OS and file names supported therein. But if there needs to
> > > > &g
n their OS and file names supported therein. But if there needs to be
> > > >>> protection against a buffer overflow attack (I assume that is the
> > > >>> problem you are trying to solve?), then the length restriction should
> > > >>> suffice. Or is there
a buffer overflow attack (I assume that is the
> > >>> problem you are trying to solve?), then the length restriction should
> > >>> suffice. Or is there another risk I'm not aware of that could threaten
> > >>> a system by just having a few malicio
> >>> a system by just having a few malicious characters in a file name?
> >>>
> >>>
> >>> Thanks,
> >>> Burton
> >>>
> >>>
> >>> -- Original Message --
> >>> From "Greg Huber&q
ving a few malicious characters in a file name?
Thanks,
Burton
-- Original Message --
From "Greg Huber"
to...@struts.apache.org
Date 2/11/2025 2:51:36 AM
Subject Re: file upload name filtering
Filename length is a possible good way to go, with an override of the
length and th
>>
>> Thanks,
>> Burton
>>
>>
>> -- Original Message --
>> From "Greg Huber"
>> To dev@struts.apache.org
>> Date 2/11/2025 2:51:36 AM
>> Subject Re: file upload name filtering
>>
>>> Filename length is
ther risk I'm not aware of that could threaten
> a system by just having a few malicious characters in a file name?
>
>
> Thanks,
> Burton
>
>
> -- Original Message --
> From "Greg Huber"
> To dev@struts.apache.org
> Date 2/11/2025 2:51:36 AM
&
should
suffice. Or is there another risk I'm not aware of that could threaten
a system by just having a few malicious characters in a file name?
Thanks,
Burton
-- Original Message --
From "Greg Huber"
To dev@struts.apache.org
Date 2/11/2025 2:51:36 AM
Subject Re: f
Filename length is a possible good way to go, with an override of the
length and then truncate or block option.
On 11/02/2025 06:21, Lukasz Lenart wrote:
Hm... looks like I must re-think this approach, thanks all for
reporting this issue!
; -- Original Message --
> From "Lukasz Lenart"
> To "Struts Developers List"
> Date 2/9/2025 11:50:30 AM
> Subject Re: file upload name filtering
>
> >Could you create a JIRA ticket to address this?
> >
> >niedz., 9 lut 2025 o 10:51
ng EXCLUDED_FILE_PATTERN =
"^(.*[<>&\"'|;/?*:]+.*|.*\\.\\..*)$";
Thanks,
Burton
-- Original Message --
From "Lukasz Lenart"
To "Struts Developers List"
Date 2/9/2025 11:50:30 AM
Subject Re: file upload name filtering
Could you create a JIRA
Could you create a JIRA ticket to address this?
niedz., 9 lut 2025 o 10:51 Greg Huber napisał(a):
>
> ..v6 to escape and warn would be good, and should reduce downstream
> complaints as they might not notice it😉.
>
> arthu€r.jpg
>
> long filenames to try and find the offending char
>
> af517d82-8
..v6 to escape and warn would be good, and should reduce downstream
complaints as they might not notice it😉.
arthu€r.jpg
long filenames to try and find the offending char
af517d82-8583-11eb-a3d0-06b4694bee2a_2Fmedia-manager_2F1738545771934-House_20&_20Home_20-_20HI-RES.png
On 09/02/2025 09:27
niedz., 9 lut 2025 o 10:20 Greg Huber napisał(a):
>
> Still using v6 at the moment, but I think v7 (dev box) is the same?
The same in functionality, but harder to refactor some things. I made
a few changes in the logic used in v7 and it's hard to port them back
into v6.
Anyway, I will take a look
Still using v6 at the moment, but I think v7 (dev box) is the same?
On 09/02/2025 09:14, Lukasz Lenart wrote:
niedz., 9 lut 2025 o 10:10 Greg Huber napisał(a):
I have now had a few uploads blocked mainly due to sentence punctuation
in the image name ie apostrophe and ampersand symbols.
It woul
niedz., 9 lut 2025 o 10:10 Greg Huber napisał(a):
>
> I have now had a few uploads blocked mainly due to sentence punctuation
> in the image name ie apostrophe and ampersand symbols.
>
> It would be better here to just escape the string and warn rather than
> just block it, requiring the user to r
I have now had a few uploads blocked mainly due to sentence punctuation
in the image name ie apostrophe and ampersand symbols.
It would be better here to just escape the string and warn rather than
just block it, requiring the user to remove the characters is a waste of
time as this can easily
This is rather a hardening to avoid potential feature security
vulnerabilities. In ParametersInterceptor we do not allow some certain
names of the parameters and the same should be used for uploading and
any other "user input".
Maybe it would be good to create one the same mechanism which can be
s
20 matches
Mail list logo
