On 03/03/2013 10:01 PM, Alan Bateman wrote:
On 03/03/2013 20:00, Florian Weimer wrote:
You check that the file ends with ".jpg", so it won't be interpreted by the web server, but the full extension is actually ".php\000.jpg", so you end up writing a ".php" file, which is.
The application have have the path String ".php\000.jpg" but when you create the file (with FileOutputStream or other APIs) then it would be ".php.jpg".
Yes, that's the behavior with dropping, and it does help in this case. (I was arguing against truncation.) But dropping is unsafe, too, as I described in the second paragraph of my message.
Another potential approach is to just fail when attempting to create the file
I think this is what's required. It's what Python has been doing for some time.
but changing File's constructor to throw an exception would be an incompatible change.
I completely agree. I think I've written code myself which relies on the File(String) constructor not looking at the contents of the string. 8-/ -- Florian Weimer / Red Hat Product Security Team