Java 修复路径操作错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9745896/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Fixing Path Manipulation error
提问by Mike
Fortify is giving Path Manipulation error on line where new File(path) comparison is made. I'm using Struts 2.
Fortify 在进行新文件(路径)比较的行中给出路径操作错误。我正在使用 Struts 2。
Can any one tell me how to fix this issue so that fortify won't give this error?
任何人都可以告诉我如何解决此问题,以便 fortify 不会出现此错误?
private boolean filePresent(String fileName) {
if (fileName != null) {
String path = getDirPath();
if (path != null) {
path = path.endsWith("/") ? path : path + "/";
path = path + fileName;
if (new File(path).exists()) {
setFileName(fileName);
return true;
}
}
}
return false;
}
I need to see whether the file is present or not in our web server & hence I'm passing file name as an argument, getting the entire directory path from web.xml, appending it to file name & then composing the path & checking it against File object to see if it is present or not.
我需要查看文件是否存在于我们的 Web 服务器中 & 因此我将文件名作为参数传递,从 web.xml 获取整个目录路径,将其附加到文件名 & 然后组成路径 & 检查它针对 File 对象查看它是否存在。
回答by Douglas Held
You don't want the remote web user to see whether C:/Windows/System32 exists, or whether /etc/hosts exists, because that allows them to do forensic research on your server.
您不希望远程 Web 用户查看 C:/Windows/System32 是否存在,或者 /etc/hosts 是否存在,因为这允许他们对您的服务器进行取证研究。
You probably didn't realize that your function allows them to do just that, by including an appropriate number of ".." sequences in the input string.
您可能没有意识到您的函数允许他们这样做,通过在输入字符串中包含适当数量的“..”序列。
There are two ways to stop the problem:
有两种方法可以解决问题:
- Whitelist approach. Scrub all the characters in the input parameter and only allow "a" through "z" and perhaps "." Throw an exception if the input falls outside of these bounds.
- 白名单方法。清除输入参数中的所有字符,只允许“a”到“z”,也许还有“.”。如果输入超出这些范围,则抛出异常。
1a. Or, if you know the list of valid files is less than 20, just list them out and if the input doesn't make an exact match, throw an exception.
1a. 或者,如果您知道有效文件的列表少于 20 个,只需将它们列出来,如果输入不完全匹配,则抛出异常。
- Blacklist approach. Check the input and throw an exception if it contains any sequence ".." or any forward slashes or backslashes. This is GENERALLY not a defense in depth, but for your function as I read it right now, this would be OK.
- 黑名单方法。检查输入并在它包含任何序列“..”或任何正斜杠或反斜杠时抛出异常。这通常不是深度防御,但对于我现在阅读的功能,这没问题。
回答by Ponmudi VN
You can even use filter to do it like
你甚至可以使用过滤器来做到这一点
in Filter
在过滤器中
chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
in RequestWarper use something like
在 RequestWarper 中使用类似的东西
if(value.contains("..\"))
value = value.replace("..\", "");
if(value.contains("../"))
value = value.replace("../", "");
if(value.contains("./"))
value = value.replace("./", "");
