HTTP 响应中 HP Fortify 的标头操作问题 [java]
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/38523430/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Header Manipulation issue with HP Fortify in HTTP response [java]
提问by LuDem
I'm trying to fix a "Header Manipulation" issue returned bu HP Fortify Scan for this code. I don't know if files are already validated during upload (I think not). I tried to use a RegEx to validate filename with no success. Anyone can help me?
我正在尝试修复此代码的 HP Fortify Scan 返回的“标题操作”问题。我不知道文件在上传过程中是否已经过验证(我认为没有)。我尝试使用 RegEx 来验证文件名,但没有成功。任何人都可以帮助我吗?
b = uploadedFiles.getFilecontent().getBytes(1,
uploadedFiles.getFilesize().intValue());
if (b != null) {
response.reset();
String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
What I tried:
我试过的:
String fileName = uploadedFiles.getFilename();
String regex = "[a-zA-Z._ ]*";
if (b != null && fileName.matches(regex)) {
response.reset();
// String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setHeader("Content-Disposition", header);
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
回答by MedAl
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
First of all, you could fix a redundancy here. Secondly, the problem may come from the fact that you don't try to validate content-type. What if the content-type had been altered and didn't match the file really is ? Each user input should be sanitized and/or compared to a white list of contents that you actually expect.
首先,您可以在这里修复冗余。其次,问题可能来自于您不尝试验证内容类型的事实。如果内容类型已更改并且与文件不匹配怎么办?每个用户输入都应该经过清理和/或与您实际期望的内容白名单进行比较。
EDIT : idem for the filename. Sanitize this field
编辑:同上filename。清理这个领域
回答by user7363019
You should use a method to filter the sensitive info in
您应该使用一种方法来过滤敏感信息
response.setHeader("Content-Disposition", header)
Just using
只是使用
fileName.matches(regex)
is too simple.
太简单了。
