[Esapi-user] getValidFile bug (ESAPI 2.0, at least)

Jim Manico jim.manico at owasp.org
Wed Aug 4 19:04:55 EDT 2010


I see a bug in the getValidFile validator function. The error message for
getValidFileName should not use the ESAPI configured extension exclusion
list (underlined below), but instead should use the allowedExtensions
function augment. Fair?

 

      public String getValidFileName(String context, String input,
List<String> allowedExtensions, boolean allowNull) throws
ValidationException, IntrusionException {

            String canonical = "";

            // detect path manipulation

            try {

                  if (isEmpty(input)) {

                        if (allowNull) return null;

                        throw new ValidationException( context + ": Input
file name required", "Input required: context=" + context + ", input=" +
input, context );

                  }

                  

                  // do basic validation

              canonical = new File(input).getCanonicalFile().getName();

              getValidInput( context, input, "FileName", 255, true );

                  

                  File f = new File(canonical);

                  String c = f.getCanonicalPath();

                  String cpath = c.substring(c.lastIndexOf(File.separator) +
1);

 

                  

                  // the path is valid if the input matches the canonical
path

                  if (!input.equals(cpath)) {

                        throw new ValidationException( context + ": Invalid
file name", "Invalid directory name does not match the canonical path:
context=" + context + ", input=" + input + ", canonical=" + canonical,
context );

                  }

 

            } catch (IOException e) {

                  throw new ValidationException( context + ": Invalid file
name", "Invalid file name does not exist: context=" + context + ",
canonical=" + canonical, e, context );

            }

 

            // verify extensions

            Iterator<String> i = allowedExtensions.iterator();

            while (i.hasNext()) {

                  String ext = i.next();

                  if (input.toLowerCase().endsWith(ext.toLowerCase())) {

                        return canonical;

                  }

            }

            throw new ValidationException( context + ": Invalid file name
does not have valid extension (
"+ESAPI.securityConfiguration().getAllowedFileExtensions()+")", "Invalid
file name does not have valid extension (
"+ESAPI.securityConfiguration().getAllowedFileExtensions()+"): context=" +
context+", input=" + input, context );

      }

      

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100804/537bef31/attachment.html 


More information about the Esapi-user mailing list