Use constant string instead of user provided file name for DiskFileUpload temp file names.
Motivation: DiskFileUpload creates temporary files for storing user uploads containing the user provided file name as part of the temporary file name. While most security problems are prevented by using "new File(userFileName).getName()" a small risk for bugs or security issues remains. Modifications: Use a constant string as file name and rely on the callers use of File.createTemp to ensure unique disk file names. Result: A slight security improvement at the cost of a little more obfuscated temp file names.
This commit is contained in:
parent
5a2d04684e
commit
ffd6911586
@ -147,8 +147,7 @@ public class DiskFileUpload extends AbstractDiskHttpData implements FileUpload {
|
||||
|
||||
@Override
|
||||
protected String getDiskFilename() {
|
||||
File file = new File(filename);
|
||||
return file.getName();
|
||||
return "upload";
|
||||
}
|
||||
|
||||
@Override
|
||||
|
Loading…
Reference in New Issue
Block a user