Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a vulnerability which can bypass the isSafeFile() function in JFinal ,so that I can upload any kind of files effectively #171

Closed
GlassyAmadeus opened this issue Aug 13, 2019 · 1 comment

Comments

@GlassyAmadeus
Copy link

In JFinal , the upload function getFile() handle uploading files in this way :
1、handle upload request and upload all of the files in request without any safety precautions.
2、then judge the upload files and delete the dangerous files by isSafeFile() function.

However, if I can try to create a exception which happened after upload and before isSafeFile() function , the dangerous files will upload to the server successfully.

So, I make a request like this
image

In my code , I just accept file param like getFile("file","test") ,However I send a request which have two params("file" and "batchId") , the code will upload jsp file to the server and stop running before isSafeFile() function, since the code will catch an exception "java.io.IOException: Content disposition corrupt: Content-Disposition: form-data: name="batchId"" .

image

@jfinal
Copy link
Owner

jfinal commented Aug 13, 2019

This problem belongs to project cos, and it has been fixed:
https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a

https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130

Thanks for your feedback

@jfinal jfinal closed this as completed Aug 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants