I am getting the issue when I use "FileSystem.FileOpen". I am posting the code below. I am getting the path from the user and I have already validated the path before opening the file. Still I am getting the same File Manipulation Issue in HP Fortify.
if ((File.Exists(moFrmIntComplaint.lblFilePath.Text)) && moFrmIntComplaint.lblFilePath.Text.IndexOfAny(System.IO.Path.GetInvalidPathChars()) >= 0)
{
sFilePath = moFrmIntComplaint.lblFilePath.Text;
sFileName = Path.GetFileName(sFilePath);//moFrmIntComplaint.lblFileName.Text;
sFileDirectory = Path.GetDirectoryName(sFilePath);
}
if ((String.IsNullOrEmpty(sFilePath.Trim(' ')) == false) && (File.Exists(moFrmIntComplaint.lblFilePath.Text)) && (moFrmIntComplaint.lblFilePath.Text.IndexOfAny(System.IO.Path.GetInvalidPathChars()) >= 0) && !string.IsNullOrEmpty(moFrmIntComplaint.lblFilePath.Text))
{
lFilePtr = FileSystem.FreeFile();
FileSystem.FileOpen(lFilePtr, sFilePath, OpenMode.Binary, OpenAccess.Read, OpenShare.Default, -1);
lFileSize = (int)FileSystem.LOF(lFilePtr);
Check your validation logic to see if you can pass a file named:
../../../cmdshell.aspx
or
../../../web.config
Path manipulation is all about redirecting the server to an undesirable location for file reads and writes. Don't rely on filesystem permissions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.