You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Alex Jacoby <ae...@isr.umich.edu> on 2008/02/20 21:11:39 UTC
need to sanitize uploaded file names before saving?
I'm saving uploaded files to a directory on the local file system. I
was just wondering: would it be possible for someone to give their
uploaded file a name like "../../secretdir/passwd" so that they could
theoretically clobber another file (if permissions weren't somehow
blocking it)?
If so, is this something that wicket does or could check for? The
javadocs for FileItem.getName say that while most browsers provide
only a basename (no path), Opera does include a full path, so it would
seem that a malicious user could do some directory traversal trickery...
It's not hard to check for "../" or a leading "/" (or just "/"
ANYWHERE I suppose), but I'd skip it if it weren't necessary.
Thanks,
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: need to sanitize uploaded file names before saving?
Posted by Alex Jacoby <ae...@isr.umich.edu>.
Thanks! That was the first thing I did, before I saw
Files.filename(). I figured the latter would save me unnecessary
object creation, though admittedly the java.io.File solution is
probably more robust (I haven't looked at the source for File yet to
compare the two).
On Feb 20, 2008, at 5:36 PM, Peter Ertl wrote:
> Why not simply use
>
> new java.io.File(client_file_name).getName() ?
>
> > Returns the name of the file or directory denoted by this abstract
> pathname.
> > This is just the last name in the pathname's name sequence.
> > If the pathname's name sequence is empty, then the empty string is
> returned.
>
>
>
>
> Am 20.02.2008 um 22:03 schrieb Alex Jacoby:
>
>> Good points -- I was munging the filename a bit, but basically
>> leaving it unchanged so that it would be simpler to debug.
>>
>> I'm still curious about the directory traversal thing... I've tried
>> using tamper data to change the filename, but I get a
>> MalformedStreamException each time I try [1].
>>
>> Side note: I think spaces are allowed in filenames in unix file
>> systems. Just quoted or escaped. (Regardless, your point is still
>> taken.)
>>
>> Alex
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: need to sanitize uploaded file names before saving?
Posted by Peter Ertl <pe...@gmx.org>.
Why not simply use
new java.io.File(client_file_name).getName() ?
> Returns the name of the file or directory denoted by this abstract
pathname.
> This is just the last name in the pathname's name sequence.
> If the pathname's name sequence is empty, then the empty string is
returned.
Am 20.02.2008 um 22:03 schrieb Alex Jacoby:
> Good points -- I was munging the filename a bit, but basically
> leaving it unchanged so that it would be simpler to debug.
>
> I'm still curious about the directory traversal thing... I've tried
> using tamper data to change the filename, but I get a
> MalformedStreamException each time I try [1].
>
> Side note: I think spaces are allowed in filenames in unix file
> systems. Just quoted or escaped. (Regardless, your point is still
> taken.)
>
> Alex
>
> [1]
> org.apache.wicket.util.upload.MultipartFormInputStream
> $MalformedStreamException: Stream ended unexpectedly
> at
> org
> .apache
> .wicket
> .util
> .upload
> .MultipartFormInputStream.readBodyData(MultipartFormInputStream.java:
> 568)
>
> On Feb 20, 2008, at 3:24 PM, Abdul Habra wrote:
>
>> When I save uploaded files, I never use the client's name of the
>> file. That could cause problems, and could be a security risk.
>>
>> For example, a windows client may have a file name which contains
>> spaces, however on a unix system this will not be a valid file name.
>>
>> Another example if u r running on a windows server, somebody may
>> upload a file named dir.bat and put in it whatever commands they
>> like, then ... I leave it to your imagination :)
>>
>>
>> Alex Jacoby <ae...@isr.umich.edu> wrote:
>> I'm saving uploaded files to a directory on the local file system. I
>> was just wondering: would it be possible for someone to give their
>> uploaded file a name like "../../secretdir/passwd" so that they could
>> theoretically clobber another file (if permissions weren't somehow
>> blocking it)?
>>
>> If so, is this something that wicket does or could check for? The
>> javadocs for FileItem.getName say that while most browsers provide
>> only a basename (no path), Opera does include a full path, so it
>> would
>> seem that a malicious user could do some directory traversal
>> trickery...
>>
>> It's not hard to check for "../" or a leading "/" (or just "/"
>> ANYWHERE I suppose), but I'd skip it if it weren't necessary.
>>
>> Thanks,
>> Alex
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: need to sanitize uploaded file names before saving?
Posted by Alex Jacoby <ae...@isr.umich.edu>.
I'm now running it through Files.filename() followed by a replaceAll
for non-word, non-dot chars. It seems to work OK. Have I overlooked
anything? (They can still put a bad extension on the file, but since
they're restricted to the data directory of my choosing I'm OK with
that.)
Thanks,
Alex
On Feb 20, 2008, at 4:03 PM, Alex Jacoby wrote:
> Good points -- I was munging the filename a bit, but basically
> leaving it unchanged so that it would be simpler to debug.
>
> I'm still curious about the directory traversal thing... I've tried
> using tamper data to change the filename, but I get a
> MalformedStreamException each time I try [1].
>
> Side note: I think spaces are allowed in filenames in unix file
> systems. Just quoted or escaped. (Regardless, your point is still
> taken.)
>
> Alex
>
> [1]
> org.apache.wicket.util.upload.MultipartFormInputStream
> $MalformedStreamException: Stream ended unexpectedly
> at
> org
> .apache
> .wicket
> .util
> .upload
> .MultipartFormInputStream.readBodyData(MultipartFormInputStream.java:
> 568)
>
> On Feb 20, 2008, at 3:24 PM, Abdul Habra wrote:
>
>> When I save uploaded files, I never use the client's name of the
>> file. That could cause problems, and could be a security risk.
>>
>> For example, a windows client may have a file name which contains
>> spaces, however on a unix system this will not be a valid file name.
>>
>> Another example if u r running on a windows server, somebody may
>> upload a file named dir.bat and put in it whatever commands they
>> like, then ... I leave it to your imagination :)
>>
>>
>> Alex Jacoby <ae...@isr.umich.edu> wrote:
>> I'm saving uploaded files to a directory on the local file system. I
>> was just wondering: would it be possible for someone to give their
>> uploaded file a name like "../../secretdir/passwd" so that they could
>> theoretically clobber another file (if permissions weren't somehow
>> blocking it)?
>>
>> If so, is this something that wicket does or could check for? The
>> javadocs for FileItem.getName say that while most browsers provide
>> only a basename (no path), Opera does include a full path, so it
>> would
>> seem that a malicious user could do some directory traversal
>> trickery...
>>
>> It's not hard to check for "../" or a leading "/" (or just "/"
>> ANYWHERE I suppose), but I'd skip it if it weren't necessary.
>>
>> Thanks,
>> Alex
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: need to sanitize uploaded file names before saving?
Posted by Alex Jacoby <ae...@isr.umich.edu>.
Good points -- I was munging the filename a bit, but basically leaving
it unchanged so that it would be simpler to debug.
I'm still curious about the directory traversal thing... I've tried
using tamper data to change the filename, but I get a
MalformedStreamException each time I try [1].
Side note: I think spaces are allowed in filenames in unix file
systems. Just quoted or escaped. (Regardless, your point is still
taken.)
Alex
[1]
org.apache.wicket.util.upload.MultipartFormInputStream
$MalformedStreamException: Stream ended unexpectedly
at
org
.apache
.wicket
.util
.upload
.MultipartFormInputStream.readBodyData(MultipartFormInputStream.java:
568)
On Feb 20, 2008, at 3:24 PM, Abdul Habra wrote:
> When I save uploaded files, I never use the client's name of the
> file. That could cause problems, and could be a security risk.
>
> For example, a windows client may have a file name which contains
> spaces, however on a unix system this will not be a valid file name.
>
> Another example if u r running on a windows server, somebody may
> upload a file named dir.bat and put in it whatever commands they
> like, then ... I leave it to your imagination :)
>
>
> Alex Jacoby <ae...@isr.umich.edu> wrote:
> I'm saving uploaded files to a directory on the local file system. I
> was just wondering: would it be possible for someone to give their
> uploaded file a name like "../../secretdir/passwd" so that they could
> theoretically clobber another file (if permissions weren't somehow
> blocking it)?
>
> If so, is this something that wicket does or could check for? The
> javadocs for FileItem.getName say that while most browsers provide
> only a basename (no path), Opera does include a full path, so it would
> seem that a malicious user could do some directory traversal
> trickery...
>
> It's not hard to check for "../" or a leading "/" (or just "/"
> ANYWHERE I suppose), but I'd skip it if it weren't necessary.
>
> Thanks,
> Alex
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: need to sanitize uploaded file names before saving?
Posted by Abdul Habra <ah...@yahoo.com>.
When I save uploaded files, I never use the client's name of the file. That could cause problems, and could be a security risk.
For example, a windows client may have a file name which contains spaces, however on a unix system this will not be a valid file name.
Another example if u r running on a windows server, somebody may upload a file named dir.bat and put in it whatever commands they like, then ... I leave it to your imagination :)
Alex Jacoby <ae...@isr.umich.edu> wrote:
I'm saving uploaded files to a directory on the local file system. I
was just wondering: would it be possible for someone to give their
uploaded file a name like "../../secretdir/passwd" so that they could
theoretically clobber another file (if permissions weren't somehow
blocking it)?
If so, is this something that wicket does or could check for? The
javadocs for FileItem.getName say that while most browsers provide
only a basename (no path), Opera does include a full path, so it would
seem that a malicious user could do some directory traversal trickery...
It's not hard to check for "../" or a leading "/" (or just "/"
ANYWHERE I suppose), but I'd skip it if it weren't necessary.
Thanks,
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org