I'm saving uploaded files to a directory on the local file system. I
was just wondering: would it be possible for someone to give their
uploaded file a name like "../../secretdir/passwd" so that they could
theoretically clobber another file (if permissions weren't somehow
blocking it)?
If so, is this something that wicket does or could check for? The
javadocs for FileItem.getName say that while most browsers provide
only a basename (no path), Opera does include a full path, so it would
seem that a malicious user could do some directory traversal trickery...
It's not hard to check for "../" or a leading "/" (or just "/"
ANYWHERE I suppose), but I'd skip it if it weren't necessary.
Thanks,
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
