...
Code Block | ||
---|---|---|
| ||
public static void main(String[] args) { try { File f = new File("/tmp/" + args[1]); String absPath = f.getAbsolutePath(); } catch(IOException ie) {} } |
Compliant Solution
Use the getCanonicalPath()
method wherever possible since it resolves the aliases, shortcuts or symbolic links across all platforms. The value of the alias is not included in the returned value. Moreover, relative references like the double period (..) are also removed. The getCanonicalPath()
method throws a security exception when used within applets since it reveals too much information about the host machine. The getCanonicalFile()
method (Java 2) behaves like getCanonicalPath()
but returns a new File
object instead of a String
.
Code Block | ||
---|---|---|
| ||
public static void main(String[] args) { throws IOException try { File f = new File("/tmp/" + args[1]); String canonicalPath = f.getCanonicalPath(); } catch(IOException ie) {} } |
Risk Assessment
Using path names from untrusted sources without first canonicalizing the filenames involved may seriously compromise the security of a Java application.
...