Use constant string instead of user provided file name for DiskFileUpload temp file names.

Motivation:

DiskFileUpload creates temporary files for storing user uploads containing the user provided file name as part of the temporary file name. While most security problems are prevented by using "new File(userFileName).getName()" a small risk for bugs or security issues remains.

Modifications:

Use a constant string as file name and rely on the callers use of File.createTemp to ensure unique disk file names.

Result:

A slight security improvement at the cost of a little more obfuscated temp file names.
This commit is contained in:
Aron Wieck 2016-07-01 09:07:40 +02:00 committed by Scott Mitchell
parent 5a2d04684e
commit ffd6911586

View File

@ -147,8 +147,7 @@ public class DiskFileUpload extends AbstractDiskHttpData implements FileUpload {
@Override
protected String getDiskFilename() {
File file = new File(filename);
return file.getName();
return "upload";
}
@Override