Hi, > -----Original Message----- > From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris > derham > Sent: Saturday, September 03, 2011 6:51 PM > To: Tomcat Users List > Subject: Re: Servlet 3.0 File Upload > > > Letting the remote user control the name of the file that is written to > disk > exposes a potential security risk. Due to bad configuration, the posted > name > may allow the caller to save arbitrary files anywhere they wish. The > server > should generate the name that is used to save the file to remove this > risk > > Chris
Yes, the user could supply a name like "../../badfile.exe" (even in the "Content-Disposition" header) to inject a file anywhere in the file system. Of course, one shouldn't use the supplied filename to save the file on the server. I usually make a DB entry with the supplied filename stored in a text field, and use the ID of the entry to generate a filename where the actual file contents are stored. The supplied filename is then only for displaying purposes. Regards, Konstantin Preißer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org