[OWASP-ESAPI] Suggestions from the field...
craig.younkins at owasp.org
Sun Dec 27 13:39:30 EST 2009
Jeff and i discussed this once upon a time. The following is what is in
ESAPI on Python.
For *filename, we decided that to be a valid filename, the input must
- Be well formed, including validate against Filename regex
- Have an extension in allowed_extensions, or, if that list is None, in
the list defined by
This method could be used in multiple locations, including when a file is to
be uploaded to the server from a client, or the server is doing something
with a file on its local disk. The list of extensions should be a parameter
to this method because of how context-specific it is. Different forms on a
site, for example, will likely have different restrictions on the extension.
Note this does not validate the file exists on disk.
For *directoryPath, we decided that to be a valid directory, the input must
- Match the canonicalized input
- Exist on disk
- Be a directory
- Be a subdirectory of the parent_dir parameter, a full path to a parent
directory, which must also exist and be a directory
This method would only be used when validating directory paths on the
server's filesystem. An extra parameter should be added as a master parent
directory. This would ensure all operations, such as file uploads, occurred
in a subdirectory of the given parent directory.
I still think this is a very good way of doing it. A combined directory and
file checker may be added, but I am less interested in that for its small
Mobile: (301) 520-0463
On Mon, Dec 21, 2009 at 9:03 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
> Jim Manico wrote:
> > The getValidFileName method does not validate that the file exists
> > within a specified safe parent directory. This protection is provided
> > in the getValidDirectoryPath method. This seems like a critical
> > vulnerability to protect against for filePaths....
> > How about adding a new getValidFilePath method that provides this
> > protection?
> > You like?
> Yes, I like, but IIRC, I think this is one of those places where
> symbolic links can bite you in the @rse. I think Java returns the
> physical path rather than the logical path.
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI