[OWASP-ESAPI] Suggestions from the field...

Craig Younkins craig.younkins at owasp.org
Sun Dec 27 13:39:30 EST 2009

Jeff and i discussed this once upon a time. The following is what is in
ESAPI on Python.

For *filename, we decided that to be a valid filename, the input must
  - Be well formed, including validate against Filename regex
  - Have an extension in allowed_extensions, or, if that list is None, in
the list defined by

This method could be used in multiple locations, including when a file is to
be uploaded to the server from a client, or the server is doing something
with a file on its local disk. The list of extensions should be a parameter
to this method because of how context-specific it is. Different forms on a
site, for example, will likely have different restrictions on the extension.
Note this does not validate the file exists on disk.

For *directoryPath, we decided that to be a valid directory, the input must
  - Match the canonicalized input
  - Exist on disk
  - Be a directory
  - Be a subdirectory of the parent_dir parameter, a full path to a parent
directory, which must also exist and be a directory

This method would only be used when validating directory paths on the
server's filesystem. An extra parameter should be added as a master parent
directory. This would ensure all operations, such as file uploads, occurred
in a subdirectory of the given parent directory.


I still think this is a very good way of doing it. A combined directory and
file checker may be added, but I am less interested in that for its small


Craig Younkins
Mobile: (301) 520-0463
Website/Blog <http://cyounkins.blogspot.com/>

On Mon, Dec 21, 2009 at 9:03 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:

> Jim Manico wrote:
> > The getValidFileName method does not validate that the file exists
> > within a specified safe parent directory.  This protection is provided
> > in the getValidDirectoryPath method.  This seems like a critical
> > vulnerability to protect against for filePaths....
> >
> > How about adding a new getValidFilePath method that provides this
> > protection?
> >
> > You like?
> Yes, I like, but IIRC, I think this is one of those places where
> symbolic links can bite you in the @rse.  I think Java returns the
> physical path rather than the logical path.
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091227/2074c228/attachment.html 

More information about the OWASP-ESAPI mailing list