When I save uploaded files, I never use the client's name of the file. That could cause problems, and could be a security risk. For example, a windows client may have a file name which contains spaces, however on a unix system this will not be a valid file name. Another example if u r running on a windows server, somebody may upload a file named dir.bat and put in it whatever commands they like, then ... I leave it to your imagination :) Alex Jacoby <[EMAIL PROTECTED]> wrote: I'm saving uploaded files to a directory on the local file system. I was just wondering: would it be possible for someone to give their uploaded file a name like "../../secretdir/passwd" so that they could theoretically clobber another file (if permissions weren't somehow blocking it)?
If so, is this something that wicket does or could check for? The javadocs for FileItem.getName say that while most browsers provide only a basename (no path), Opera does include a full path, so it would seem that a malicious user could do some directory traversal trickery... It's not hard to check for "../" or a leading "/" (or just "/" ANYWHERE I suppose), but I'd skip it if it weren't necessary. Thanks, Alex --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
