I am scanning the code using HP fortify. I am getting Path Manipulation error when I try to open the File
Question
I am getting the issue when I use "FileSystem.FileOpen". I am posting the code below. I am getting the path from the user and I have already validated the path before opening the file. Still I am getting the same File Manipulation Issue in HP Fortify.
if ((File.Exists(moFrmIntComplaint.lblFilePath.Text)) && moFrmIntComplaint.lblFilePath.Text.IndexOfAny(System.IO.Path.GetInvalidPathChars()) >= 0)
{
sFilePath = moFrmIntComplaint.lblFilePath.Text;
sFileName = Path.GetFileName(sFilePath);//moFrmIntComplaint.lblFileName.Text;
sFileDirectory = Path.GetDirectoryName(sFilePath);
}
if ((String.IsNullOrEmpty(sFilePath.Trim(' ')) == false) && (File.Exists(moFrmIntComplaint.lblFilePath.Text)) && (moFrmIntComplaint.lblFilePath.Text.IndexOfAny(System.IO.Path.GetInvalidPathChars()) >= 0) && !string.IsNullOrEmpty(moFrmIntComplaint.lblFilePath.Text))
{
lFilePtr = FileSystem.FreeFile();
FileSystem.FileOpen(lFilePtr, sFilePath, OpenMode.Binary, OpenAccess.Read, OpenShare.Default, -1);
lFileSize = (int)FileSystem.LOF(lFilePtr);
1 answers
solution1
0 ACCPTED 2015-11-18 23:11:03
Check your validation logic to see if you can pass a file named:
../../../cmdshell.aspx
or
../../../web.config
Path manipulation is all about redirecting the server to an undesirable location for file reads and writes. Don't rely on filesystem permissions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.