[OWASP-ESAPI] File Content Validation
jim.manico at owasp.org
Sat May 16 19:53:54 EDT 2009
My position for safe upload is that you go all the way and do it right
or disable the feature. For esapi to give a partial solution in the
ref impl is dangerous, in my highly opinioniated opinion, cause of how
vulnerable it is.
I'd like to see safe upload throw a runtimeException that's points to
a owasp doc explaining how to do this right - which is very complex.
Again, just my opinion. File upload is brutal - one of the difficult
parts of web app sec.
PS: I'm on the beach writing from my iPhone. I didn't realize my last
email was blasting the whole list, sorry.
On May 15, 2009, at 5:22 PM, "Dave Wichers" <dave.wichers at owasp.org>
> It would absolutely be very interesting and a valuable contribution
> to ESAPI. We tried to make it clear in the ESAPI API documentation
> what these method needs to do to be a good implementation, and then
> in the javadoc for our reference implementation we explain what ours
> does, which isn’t that much, and what YOUR IMPLEMENTATION still need
> s to do (including antivirus scanning).
> So, of you wanted to implement some more powerful capabilities that
> we could hook into ESAPI, that would be a great contribution.
> The same idea goes for SafeHTML. ESAPI could have built some
> primitive capabilities but lucky for us, AntiSamy already existed,
> so we simply adopted that as the ESAPI solution which provides far
> more capability than we would have implemented ourselves.
> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org
> ] On Behalf Of Jeremy Long
> Sent: Friday, May 15, 2009 8:10 PM
> To: owasp-esapi at lists.owasp.org
> Subject: [OWASP-ESAPI] File Content Validation
> I noticed the org.owasp.esapi.SafeFile class within the ESAPI and I
> started considering a very difficult security problem - validation
> of the contents of standard file types. If you allow file uploads -
> forget about viruses - that can be done by hooking into a virus
> scanning API from one of the big companies. How do you know the
> content of the file is safe (think GIFAR). I was told some of the
> social networks that allow image file upload (and I'm pretty sure
> blogspot.com does this) actually load the file into an Image Object
> and save the image from the image object (not the originally
> uploaded file). So, loading of images could be fairly easily
> implemented. But what about other common file types? PDF, XLS, etc.
> Anyone have any ideas on validating the content of files? Would
> some base file-content validators be an interesting addition to the
> ESAPI (with images being the easiest one)?
> --Jeremy Long
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI