You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2018/01/30 22:44:00 UTC

[jira] [Commented] (IO-567) FilenameUtils is unaware of NTFS alternate data streams

    [ https://issues.apache.org/jira/browse/IO-567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16345936#comment-16345936 ] 

Sebb commented on IO-567:
-------------------------

AFAICT only the part before the colon is returned in directory searches etc, so the file name would have to come from elsewhere.
i.e. it should be sanitised by the caller before use.

> FilenameUtils is unaware of NTFS alternate data streams
> -------------------------------------------------------
>
>                 Key: IO-567
>                 URL: https://issues.apache.org/jira/browse/IO-567
>             Project: Commons IO
>          Issue Type: Bug
>            Reporter: Jochen Wiedmann
>            Assignee: Jochen Wiedmann
>            Priority: Minor
>
> Windows NTFS has a feature, called ADS (Alternate Data Streams). Basically, it works like this: Traditionally, a file called "foo" consists of a byte stream, which can be read,if we open the file "foo". Not so with NTFS. A file may have other byte streams, the so-called alternate data streams. These are addressed by using file names like "foo:alternate_stream_name". (Colon as a separator.)
>  
> While that is not a problem in itself, it may become difficult in connection with file name extensions. As you know, these have a special meaning on Windows. A .exe file may be executed. Thus, a .exe file with unknown contents would be dangerous. In the case of NTFS, this must be rephrased: A .exe file with unknown contents in its default data stream would be dangerous.
>  
> Now consider the case of a name like "foo.exe:bar.txt". This would be the alternate data stream named "bar.txt" in a file, named "foo.exe". If that name is passed to FilenameUtils.getExtension(String), it would happily return ".txt", although the Windows Explorer, or whatever other tool would show us "foo.exe".
>  
> Commons IO should implement special case handling for this in FilenameUtils.getExtension(String), and FilenameUtils.indexOfExtension(String)
>  
> Suggestion:
>  
>     a) Document the problem in Javadoc, and
>     b) Throw an IllegalArgumentException, if the file name contains a ':'.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)