On 24/02/2013 03:02, Jeff Williams wrote:
> There's a bit of security risk here if developers take that filename
> and append it to a path. Attackers might send ../../../etc/passwd or
> something. Another common bypass is if the application checks if the
> filename endsWith( ".pdf" ) or something -- the attacker can bypass
> by sending file.xls%00.pdf.
>
> Is there any restriction on the String returned from the multipart
> request? Could we add some simple restrictions? At a minimum, could
> we add some Javadoc describing the risks?
We don't spell out the risks of using user supplied data directly
anywhere else in the servlet spec so I don't see a need to do so here.
The Javadoc should makde clear (although the method name is already
about as clear as it gets) that the filename is provided by the client.
Mark
>
> Thanks,
>
> --Jeff
>
>
> -----Original Message----- From: Shing Wai Chan
> [mailto:shing.wai.chan_at_oracle.com] Sent: Friday, February 22, 2013
> 7:22 PM To: jsr340-experts_at_servlet-spec.java.net Subject:
> [jsr340-experts] About SERVLET_SPEC-57
>
> I am looking at http://java.net/jira/browse/SERVLET_SPEC-57 (" Add
> getFileName() method to javax.servlet.http.Part")
>
> It is a good to have an API to return the file name. The question is
> the method name.
>
> Is the following good enough?
>
> In javax.servlet.http.Part, add the following API
>
> /** * Return the name of the submitted file. * @return The name of
> the submitted file as a String */ String getSubmittedFileName()
>
>
> Thanks. Shing Wai Chan
>