Uploading files with apostrophe in filename
Question
I'm currently having a problem uploading files to the server that have an apostrophe in the file name. For example O'Connell.doc The form works perfectly when there is no apostrophe in the filename. I get a 500 Internal server error when an apostrophe is used. It gets to form.php?p=apply Seems like the form is submitted and then immediately fails. Any ideas where to look? Thanks!
2 answers
solution1
1 2013-10-25 17:31:11
Just jumping in here, I ran into a similar issue, it turned out that my hosting / server had "mod_security" activated, which was blocking the file by default. I'm looking into a solution that will rewrite the file name before processing, it seems like either that or mod_security would need to be disabled.
solution2
0 2013-08-26 19:30:09
It sounds like your form is vulnerable to a Code Injection attack. The apostrophe is being interpreted when the file is being processed and then you are getting some sort of error from that failure.
All user input needs to be sanitized to all interpreters that it will go through. The ideal is that user input is never interpreted, only stored or called. So rather than calling a shell on the input, use exec or something on the exact executable and arguments you want.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.