-1 
If Request.QueryString("ID") = "" Then
                folderDirectory = Global.FileUpload.GetFolderDirectory(Request.QueryString("TFID"))

                If Not File.Exists(folderDirectory + fileName) Then
                    If Not Directory.Exists(folderDirectory) Then
                        Directory.CreateDirectory(folderDirectory)
                    End If

                    Dim bufferSize As Integer = Me.fileUpload.PostedFile.ContentLength
                    Dim buffer As Byte() = New Byte(bufferSize) {}
                    '  write the byte to disk
                    Using fs As New FileStream(Path.Combine(folderDirectory, fileName), FileMode.Create)
                        Dim bytes As Integer = Me.fileUpload.PostedFile.InputStream.Read(buffer, 0, bufferSize)
                        '  write the bytes to the file stream
                        fs.Write(buffer, 0, bytes)
                    End Using
                Else
                    CallOnComplete("error", "", "Error uploading '" & fileName & "'. File has been exists!")
                    Exit Sub
                End If

但是上述示例代码的 Fortify 扫描报告显示Path Manipulation问题很高。我需要帮助修改上面的代码,以便它可以通过强化扫描它在 folderDirectory 向我显示错误

4

1 回答 1

1

通常,当您的代码在 Web 应用程序中运行时,您无法像在本地 PC 上那样使用完整的文件系统。任何一种“路径操纵”都是可疑的。您应该尝试使用Server.MapPath方法重新编码您的作品。特别注意这个警告

For security reasons, the AspEnableParentPaths property has a default value set to FALSE.  
Scripts will not have access to the physical directory structure unless AspEnableParentPaths  
is set to TRUE.
于 2012-04-20T07:48:48.973 回答