Cam Morris created WW-3873:
------------------------------
Summary: file tag leaks server path information
Key: WW-3873
URL: https://issues.apache.org/jira/browse/WW-3873
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4.1, 2.3.4
Environment: Linux, weblogic 10-12, tomcat 7
Reporter: Cam Morris
Priority: Minor
After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved. This
discloses file system information about the server.
To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload-success.jsp</result>
</action>
{code}
to this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload.jsp</result>
</action>
{code}
3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the
full path to the file that was uploaded.
{code}
<input type="file" name="upload"
value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
{code}
Workaround:
A workaround is simple, just add an empty value attribute to the file tag:
{code}
<s:file name="upload" label="File" value=""/>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
