SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 3

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: temporary commit

Applications that must accept file uploads must ensure that an adversary cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges.

To upload a file, a typical JSP page consists of code such as

Code Block
<s:form action="uploadAction" method="POST" enctype="multipart/form-data">
  <s:file name="uploadFile" label="Choose File" size="40" />
  <s:submit value="Upload" name="submit" />
</s:form>

 

Noncompliant Code Example

This noncompliant code example shows code from the interceptor of a Struts 2 application. 

Code Block
bgColor#ffcccc
langjava
p

 

Noncompliant Code Example 

 

Code Block
bgColor#ffcccc
langjava
p

 

Noncompliant Code Example

 

Code Block
bgColor#ffcccc
langjava
p

 

Compliant Solution 

 

Code Block
bgColor#ccccff
langjava
p

Applicability

 

Bibliography

[Oracle 2010b]New I/O APIs

[API 2011]

Class java.io.File
Class java.nio.file.Files

 

...

Image Added Image Added Image Added