Re: need to sanitize uploaded file names before saving?

Wed, 20 Feb 2008 13:04:16 -0800

Good points -- I was munging the filename a bit, but basically leaving it unchanged so that it would be simpler to debug.
I'm still curious about the directory traversal thing... I've tried using tamper data to change the filename, but I get a MalformedStreamException each time I try [1]. 


Side note: I think spaces are allowed in filenames in unix file  
systems.  Just quoted or escaped.  (Regardless, your point is still  
taken.)


Alex

[1]

org.apache.wicket.util.upload.MultipartFormInputStream 
$MalformedStreamException: Stream ended unexpectedly
	at  
org 
.apache 
.wicket 
.util 
.upload 
.MultipartFormInputStream.readBodyData(MultipartFormInputStream.java: 
568)


On Feb 20, 2008, at 3:24 PM, Abdul Habra wrote:


When I save uploaded files, I never use the client's name of the  
file. That could cause problems, and could be a security risk.



 For example, a windows client may have a file name which contains  
spaces, however on a unix system this will not be a valid file name.



 Another example if u r running on a windows server, somebody may  
upload a file named dir.bat and put in it whatever commands they  
like, then ... I leave it to your imagination :)



Alex Jacoby <[EMAIL PROTECTED]> wrote:
 I'm saving uploaded files to a directory on the local file system. I
was just wondering: would it be possible for someone to give their
uploaded file a name like "../../secretdir/passwd" so that they could
theoretically clobber another file (if permissions weren't somehow
blocking it)?

If so, is this something that wicket does or could check for? The
javadocs for FileItem.getName say that while most browsers provide
only a basename (no path), Opera does include a full path, so it would

seem that a malicious user could do some directory traversal  
trickery...


It's not hard to check for "../" or a leading "/" (or just "/"
ANYWHERE I suppose), but I'd skip it if it weren't necessary.

Thanks,
Alex

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to