[ https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen updated WW-3873: ---------------------------- Comment: was deleted (was: I will be out of the office until July 5th On Jul 5, 2013, at 1:29 AM, "Rene Gielen (JIRA)" <j...@apache.org> wrote: [ https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rene Gielen updated WW-3873: ---------------------------- Assignee: Rene Gielen file tag leaks server path information -------------------------------------- Key: WW-3873 URL: https://issues.apache.org/jira/browse/WW-3873 Project: Struts 2 Issue Type: Bug Affects Versions: 2.3.4, 2.3.4.1 Environment: Linux, weblogic 10-12, tomcat 7 Reporter: Cam Morris Assignee: Rene Gielen Priority: Minor Fix For: 2.3.16 Attachments: file-leak.png After a fileupload action, if the result jsp contains a <s:file> tag the value attribute is filled in with the server path where the file was saved. This discloses file system information about the server. To duplicate: 1) setup the struts2_showcase sample app 2) change struts-fileupload.xml from this {code} <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload"> <result name="input">upload.jsp</result> <result>upload-success.jsp</result> </action> {code} to this {code} <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload"> <result name="input">upload.jsp</result> <result>upload.jsp</result> </action> {code} 3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action 4. View source, in the input tag generated by the s:file tag you'll see the full path to the file that was uploaded. {code} <input type="file" name="upload" value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp" id="doUpload_upload"/> {code} Workaround: A workaround is simple, just add an empty value attribute to the file tag: {code} <s:file name="upload" label="File" value=""/> {code} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira ) > file tag leaks server path information > -------------------------------------- > > Key: WW-3873 > URL: https://issues.apache.org/jira/browse/WW-3873 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.3.4, 2.3.4.1 > Environment: Linux, weblogic 10-12, tomcat 7 > Reporter: Cam Morris > Assignee: Rene Gielen > Priority: Minor > Fix For: 2.3.16 > > Attachments: file-leak.png > > > After a fileupload action, if the result jsp contains a <s:file> tag the > value attribute is filled in with the server path where the file was saved. > This discloses file system information about the server. > To duplicate: > 1) setup the struts2_showcase sample app > 2) change struts-fileupload.xml from this > {code} > <action name="doUpload" > class="org.apache.struts2.showcase.fileupload.FileUploadAction" > method="upload"> > <result name="input">upload.jsp</result> > <result>upload-success.jsp</result> > </action> > {code} > to this > {code} > <action name="doUpload" > class="org.apache.struts2.showcase.fileupload.FileUploadAction" > method="upload"> > <result name="input">upload.jsp</result> > <result>upload.jsp</result> > </action> > {code} > 3. Deploy & Upload file using the url > struts2-showcase/fileupload/upload.action > 4. View source, in the input tag generated by the s:file tag you'll see the > full path to the file that was uploaded. > {code} > <input type="file" name="upload" > value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp" > id="doUpload_upload"/> > {code} > > Workaround: > A workaround is simple, just add an empty value attribute to the file tag: > {code} > <s:file name="upload" label="File" value=""/> > {code} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira