Applications that must accept file uploads must ensure that an adversary cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges.
To upload a file, a typical JSP page consists of code such as
<s:form action="uploadAction" method="POST" enctype="multipart/form-data"> <s:file name="uploadFile" label="Choose File" size="40" /> <s:submit value="Upload" name="submit" /> </s:form>
Noncompliant Code Example
This noncompliant code example shows code from the interceptor of a Struts 2 application.
p
Noncompliant Code Example
p
Noncompliant Code Example
p
Compliant Solution
p
Applicability
Bibliography