[OWASP-ESAPI] File Content Validation

Jeremy Long jeremy.long at gmail.com
Fri May 15 20:09:41 EDT 2009


I noticed the org.owasp.esapi.SafeFile class within the ESAPI and I started
considering a very difficult security problem - validation of the contents
of standard file types.  If you allow file uploads - forget about viruses -
that can be done by hooking into a virus scanning API from one of the big
companies. How do you know the content of the file is safe (think GIFAR).  I
was told some of the social networks that allow image file upload (and I'm
pretty sure blogspot.com does this) actually load the file into an Image
Object and save the image from the image object (not the originally uploaded
file).  So, loading of images could be fairly easily implemented.  But what
about other common file types?  PDF, XLS, etc.
Anyone have any ideas on validating the content of files?  Would some base
file-content validators be an interesting addition to the ESAPI (with images
being the easiest one)?

--Jeremy Long
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090515/e130eb4c/attachment.html 


More information about the OWASP-ESAPI mailing list