Is it possible to upload a file with malicious filename?
Question
是否可以将HTTP上传请求发送到Apache或IIS的文件,该文件的文件名将带有“ ../”或“ ..”而不会被拒绝,并将被传递给php或ASP.Net引擎?
1 answers
solution1
1 2013-02-08 07:35:14
Not really the way you are asking. By the time it gets to the server the browser has read the file and delivered it as a chunk of content with no information about where it came from other than the original file name which you can choose to use or discard.
Generally file uploads go into a temporary storage place (eg /tmp) and then need to be moved out of there to somewhere which you can control and name.
This storage is configured on the server, and so any attempt to put path info into the filename should also be blocked by the file upload implementation of the server which should sanitise the filenames again if the browser didn't already do so.
If there's a bug then all bets are off though.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.