Christopher Schultz wrote:
... (RFC references) ..
Thanks for that post (with the chain of applicable RFCs). I will keep that email
preciously as a resource for future file upload debugging references.
...
Also, to add to the potential OP woes, there is also the fact that some browsers send the
filename, and others send the full path of the file.
I would hope that the OP was putting these files in some known root, so
that uploading /etc/passwd wouldn't overwrite /etc/passwd,
(I wrote "> /etc/passwd" as the filename)
and that file
permissions wouldn't allow this, either. Also, unlike Perl, having a
pipe in a filename isn't a problem in Java :)
But it /may/ still be a problem if, after uploading the file and duly writing it into a
directory, that directory is then later scanned by some separate (non-Java) program or
script (whatever language it may be written in, even, God forbid, perl) with the purpose
of actually doing something with these files.
There may be a lot of potential there :
for ff in /mydir/* ; do
mv "$ff" "/otherdir/${ff}.new"
done
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
