Security issues in File upload and download (upload vulnerability and directory traversal attack)

Objective

File upload and download is a feature that is often needed in a project, and no matter which Web application is almost always available. That's the dick. The problem that our negligence in development can cause.

First build a Web project, the directory structure is as follows

File Upload VulnerabilityLet's take a look at the following file upload code, using Common-fileupload.jar and Common-io.jarUploadservlet.java Access Path/uploadservlet

/** * File upload */protected void DoPost (HttpServletRequest request, httpservletresponse response) {String root = Request.getser Vletcontext (). Getrealpath ("/upload");D iskfileitemfactory factory = new Diskfileitemfactory (); Servletfileupload upload = new Servletfileupload (factory); try {list<fileitem> List = upload.parserequest (Request ); for (Fileitem it:list) {//If the file is of type if (!it.isformfield ()) {It.write (new file (root+ "/" +it.getname ())); Response.getwriter (). Write ("Success");}}} catch (Exception e) {try {response.getwriter (). Write ("Exception");} catch (IOException E1) {e1.printstacktrace ();} E.printstacktrace ();}}

front-end index.jsp has a form for uploading files

<form  action= "/load/uploadservlet" method= "post" enctype= "Multipart/form-data" ><input type= "file" Name= "file"/><input type= "Submit" value= "Submit"/></form>

We publish the project to Tomcat and access the http://localhost:8080/load/

Select the file submission form that you want to upload. File upload is also successful, in the upload directory we also have uploaded files.
(If you have just graduated from the new entrants, you may not see any problem), many of the old birds may be aware of the great God knows what this upload function problem, to scold me sb (i reply fuck you).Yes, there is one big problem with this feature is that there is no limit to the uploaded file format, if I do write a script a.jsp code as followsa.jsp

<% @page import= "java.io.File"%><%@ page language= "java" contenttype= "text/html; Charset=utf-8 "    pageencoding=" utf-8 "%><%string root = Request.getservletcontext (). Getrealpath (" "); o Ut.write ("System Deployment Absolute path:" +root); File File = new file (root+ "/index.jsp"); File.delete ();%>

upload finished, we are visiting localhost:8080/load/upload/a.jsp, and then you return you will find a horrible thing, here is not limited to delete operations, you can also customize the homepage, see how you writeTherefore, we do upload must be uploaded to the file format to do processing, in the upload when adding a sentence judgment (of course, only the suffix, there may be some problems, it is best to add a judgment file 4 bytes together to determine [different file types before 4 bytes different]), This will be a good way to avoid the above problems

Custom if (It.getname (). Contains ("JSP")) {//return} depending on the business

File Download Vulnerability (Directory traversal attack)Here 's a look at security issues in file downloadsDownload.java Access Path/download

  /**     * File download     */protected void doget (HttpServletRequest request, httpservletresponse response) throws Servletexception, IOException {//Gets the upload folder path under the absolute path of the project deployment string root = Request.getservletcontext (). Getrealpath ("/ Upload ");//Gets the file name string filename = Request.getparameter (" filename "); File File = new file (root+ "/" +filename); FileInputStream fis = new FileInputStream (file); Response.AddHeader ("Content-disposition", "attachment;filename=" + New String (Filename.getbytes ()));        Response.AddHeader ("Content-length", "" "+ File.length ());        Byte[] B = new byte[fis.available ()];        Fis.read (b);        Response.getoutputstream (). write (b);        }

index.jsp Add a new form

<form  action= "/load/download" method= "get" > file name to download <input type= "text" name= "filename"/><input Type= "Submit" value= "Submit"/></form>

Http://localhost:8080/load/DownLoad?filename=download.txt
Here we enter the name of the file to download, after which we will access the background of the download,download inside we get the file name, and then get the input and output stream to download the file. Operation results download file successfully
The above download code 90% of the people are written in that way, the problem is not so easy to see, although you may have been working for some time.enter the following in the text box [.. After the/web-inf/web.xml],submit, you will be downloaded to a very file!
This is not limited to: /can also more subordinate directory, this is "directory traversal attack", you can go to the Baidu to see the relevant knowledge. As for the solution, most people also know the need to make a special letter to the file name. (Do you write code that has this problem?)

Security issues in File upload and download (upload vulnerability and directory traversal attack)