From ffd69115864e472aa07e095782065e8f1c94aec2 Mon Sep 17 00:00:00 2001 From: Aron Wieck Date: Fri, 1 Jul 2016 09:07:40 +0200 Subject: [PATCH] Use constant string instead of user provided file name for DiskFileUpload temp file names. Motivation: DiskFileUpload creates temporary files for storing user uploads containing the user provided file name as part of the temporary file name. While most security problems are prevented by using "new File(userFileName).getName()" a small risk for bugs or security issues remains. Modifications: Use a constant string as file name and rely on the callers use of File.createTemp to ensure unique disk file names. Result: A slight security improvement at the cost of a little more obfuscated temp file names. --- .../io/netty/handler/codec/http/multipart/DiskFileUpload.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/DiskFileUpload.java b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/DiskFileUpload.java index 14ac941612..1a5076f508 100644 --- a/codec-http/src/main/java/io/netty/handler/codec/http/multipart/DiskFileUpload.java +++ b/codec-http/src/main/java/io/netty/handler/codec/http/multipart/DiskFileUpload.java @@ -147,8 +147,7 @@ public class DiskFileUpload extends AbstractDiskHttpData implements FileUpload { @Override protected String getDiskFilename() { - File file = new File(filename); - return file.getName(); + return "upload"; } @Override