Hi all,
This is a bit of a quiz question. The method pasted below replaces any two dots
("..") in a file name with a single underscore ("_"). If the user uploads a
file named "Test..doc", it ends up as "Test_doc". Which is less than ideal
because often one wants to get some idea about the file type by looking at the
extension.
Apparently Mike's (it's his code) intent was security-related. Can anyone come
up with a potential vulnerability beyond the case of a file named ".."? (Which
could theoretically lead to a file being written to the parent directory of the
destination, though I haven't been able to actually do this.)
cheers, Fabian
/**
* Returns the file name portion of a browser submitted path.
*
* @param path the full path from the browser
* @return the file name portion
*/
public static String fileNameFromBrowserSubmittedPath(String path) {
String fileName = path;
if (path != null) {
// Windows
int separatorIndex = path.lastIndexOf("\\");
// Unix
if (separatorIndex == -1) {
separatorIndex = path.lastIndexOf("/");
}
// MacOS 9
if (separatorIndex == -1) {
separatorIndex = path.lastIndexOf(":");
}
if (separatorIndex != -1) {
fileName = path.substring(separatorIndex + 1);
}
// ... A tiny security check here ... Just in case.
fileName = fileName.replaceAll("\\.\\.", "_");
}
return fileName;
}
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
