There's a bit of security risk here if developers take that filename and append it to a path. Attackers might send ../../../etc/passwd or something. Another common bypass is if the application checks if the filename endsWith( ".pdf" ) or something -- the attacker can bypass by sending file.xls%00.pdf.
Is there any restriction on the String returned from the multipart request? Could we add some simple restrictions? At a minimum, could we add some Javadoc describing the risks?
Thanks,
--Jeff
-----Original Message-----
From: Shing Wai Chan [mailto:shing.wai.chan_at_oracle.com]
Sent: Friday, February 22, 2013 7:22 PM
To: jsr340-experts_at_servlet-spec.java.net
Subject: [jsr340-experts] About SERVLET_SPEC-57
I am looking at
http://java.net/jira/browse/SERVLET_SPEC-57
(" Add getFileName() method to javax.servlet.http.Part")
It is a good to have an API to return the file name.
The question is the method name.
Is the following good enough?
In javax.servlet.http.Part, add the following API
/**
* Return the name of the submitted file.
* @return The name of the submitted file as a String
*/
String getSubmittedFileName()
Thanks.
Shing Wai Chan