Vulnerability Development mailing list archives
Re: Java questions...
From: Mikael Olsson <mikael.olsson () ENTERNET SE>
Date: Sat, 5 Aug 2000 18:50:37 +0200
Joe Testa wrote:
I wonder if there exist any weaknesses in Java's File and String classes that could be exploited to subvert my 'isSafe()' method. Maybe there is something that could mimick the null-byte problem that PERL's 'open()' call has? Any Java wizards have any ideas?
I don't know the first thing about Java's internal workings, but one suggestion here might be that you be really anal about paths that you approve: Any URL containing /.. or \.. should be thrown away. REMEMBER to do your decoding of escaped characters BEFORE you test this, lest you fall prey to the same vulnerabilities that many others have before you. You could be even more anal and restrict your set of characters to "a-z", "A-Z", "0-9", "." and "_"; I don't think it would cause any problems, except if you start serving up odd files with spaces in them (YUCK!) and stuff like that. This is a good measure, since you can't know what your underlying OS is going to do to oddball characters like \0xff and company, or wildcards for that matter. What if you run it on some operating system that parses "/webroot/?./secret_files/" as "/webroot/../secret_files", without your java engine knowing about it? Okay, "?" should be treated separately, but consider "/webroot/*./secret_files" then. Also, you might want to consider checking for double "/" characters ("//", "\\", "/\", "\/") so that the underlying operating system doesn't parse them as "start over at the root" or something stupid like that, that the Java engine doesn't know about. And another thing: Does the Java engine know about "..."? If it doesn't, and your OS parses it as "..\..", you'd be into a lot or problems. Checking your path for "/.." and "\.." would take care of that. Then, after these tests, do your "is it inside the webroot?" check. Uhm. I can't think of any other paranoia checks right now :) /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Java questions... Joe Testa (Aug 03)
- Re: Java questions... Mikael Olsson (Aug 05)
- Re: Java questions... Joe Testa (Aug 06)
- Re: Java questions... Mikael Olsson (Aug 05)