stackoom
  简体   繁体   中英

Should I limit the length of a file name during upload in a Jersey REST API?

 原文  2020-05-14 17:10:22       java/ jersey

Question

There are some obvious validations when a user uploads a file, such as: limiting the file size, checking the file extension is acceptable etc.

I was wondering if there is any benefit to restricting the amount of characters in the file name? So a user cannot upload a file to a backend API with 10000 characters, for example. Is there any use of this or is this considered an unneccessary check?

1 answers

solution1
 0  2020-05-14 20:56:59

The filename parameter on a multipart/form-data is only a suggested file name. So there is no need for any validation.

But if you are going to use this suggested name to create a local file on the server you must take into account some important considerations:

  • Discard any path information that may be present on the file name.
  • That the filename doesn't conflict with an existing local file
  • And, of course, the maximum file name length of the server file system

To quote the current spec for multipart/form-data ( RFC 7578 )

If a "filename" parameter is supplied, the requirements of Section 2.3 of [RFC2183] for the "receiving MUA" (ie, the receiving Mail User Agent) apply to receivers of multipart/form-data as well: do not use the file name blindly, check and possibly change to match local file system conventions if applicable, and do not use directory path information that may be present.

The referenced Section 2.3 of the RFC 2183 has a more detailed explanation, and the Section 5 details some security cosiderations:

Since this memo provides a way for the sender to suggest a filename, a receiving MUA must take care that the sender's suggested filename does not represent a hazard. Using UNIX as an example, some hazards would be:

  • Creating startup files (eg, ".login").

  • Creating or overwriting system files (eg, "/etc/passwd").

  • Overwriting any existing file.

  • Placing executable files into any command search path (eg, "~/bin/more").

  • Sending the file to a pipe (eg, "| sh").

In general, the receiving MUA should not name or place the file such that it will get interpreted or executed without the user explicitly initiating the action.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Impossible to Upload file to rest api with jersey Upload file Jersey with the same name REST - Jetty 9 and Jersey 2.6 Multipart file upload java.lang.AbstractMethodError in File upload and other resources with jersey rest api How to get size of file in rest api jersey Empty csv file downloading in jersey rest api Uploading file through REST API with JERSEY Rest API with Jersey: What am I missing? javascript input type file onchange upload file on java jersey Rest Jersey rest api security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM