You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2013/02/04 15:04:14 UTC
[jira] [Updated] (WW-3873) file tag leaks server path information
[ https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart updated WW-3873:
------------------------------
Fix Version/s: (was: 2.3.x)
2.3.10
> file tag leaks server path information
> --------------------------------------
>
> Key: WW-3873
> URL: https://issues.apache.org/jira/browse/WW-3873
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4, 2.3.4.1
> Environment: Linux, weblogic 10-12, tomcat 7
> Reporter: Cam Morris
> Priority: Minor
> Fix For: 2.3.10
>
> Attachments: file-leak.png
>
>
> After a fileupload action, if the result jsp contains a <s:file> tag the value attribute is filled in with the server path where the file was saved. This discloses file system information about the server.
> To duplicate:
> 1) setup the struts2_showcase sample app
> 2) change struts-fileupload.xml from this
> {code}
> <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
> <result name="input">upload.jsp</result>
> <result>upload-success.jsp</result>
> </action>
> {code}
> to this
> {code}
> <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
> <result name="input">upload.jsp</result>
> <result>upload.jsp</result>
> </action>
> {code}
> 3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
> 4. View source, in the input tag generated by the s:file tag you'll see the full path to the file that was uploaded.
> {code}
> <input type="file" name="upload" value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp" id="doUpload_upload"/>
> {code}
>
> Workaround:
> A workaround is simple, just add an empty value attribute to the file tag:
> {code}
> <s:file name="upload" label="File" value=""/>
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira