-6

用 Java 编写。我不明白为什么如果 fName = ..project/blah/blah.exe 这会是一个安全问题

这可能会在同名的不同目录上打开一个可能是恶意的文件吗?

String sFileName = request.getParameter(“fName”);
sFileName = sFileName.replaceAll("/", “\\");
sFileName = sFileName.replaceAll(“..\\", ""); 
4

2 回答 2

5

If you use sFileName directly, the most obvious problem is that you don't deal with absolute paths. For examle, your input could be;

C:\Users\Test\secret.txt

and you'd replace nothing, just open it right away.

Another one would be that the replace itself could create a path that has .. in it. Consider for example ....\\secret.txt that would be replaced to ..\secret.txt.

于 2012-10-17T04:41:27.820 回答
3

那可能是不安全的;或者,更确切地说,帖子中的替换不增加安全性

想象一下这个输入:

..../some/sensitive/relativepath

哪个会有这个输出(这是字符串值,而不是字符串文字):

..\some\senstive\relativepath

也就是说,提供的代码不能防止精心构造的 - 例如“黑客” - 输入;正如所证明的,绕过“相对路径删除”是微不足道的。

它也不防范绝对路径:

\some\sensitive\absolutepath
于 2012-10-17T04:38:57.097 回答