Unsecure implementation of the Struts2 file download function may cause file reading problems

File Reading problems caused by Insecure File Download functions are nothing to mention (the same for other languages). Generally,The external parameters are not safely referenced in the internal implementation path of the function (in short, the download path can be directly controlled by the external ).However, Struts2 provides dynamic parameter binding configuration for downloading file names, which makes this security problem more prone!
The result of using the baidu search engine key is: Struts2 file download,

In the top tutorial demo, you can see the configuration file:
<Result type = "stream">
<Param name = "contentType"> application/octet-stream </param>
<Param name = "inputName"> inputStream </param>
<Param name = "contentDisposition"> attachment; filename = "$ {fileName}" </param>
<Param name = "bufferSize"> 4096 </param>
</Result> download the dynamic parameter auto-fill configuration of the file name:
<Param name = "contentDisposition"> attachment; filename = "$ {fileName}" </param> code implementation:
Private String fileName;
 
Public void setFileName (String fileName ){
This. fileName = fileName;
}
 
Public String getFileName (){
Return fileName;
}
 
Public InputStream getInputStream () throws FileNotFoundException {
Return ServletActionContext. getServletContext (). getResourceAsStream ("/" + fileName );
// Return new FileInputStream ("c: //" + fileName );
} Ps: // Content-disposition is an extension of the MIME protocol. The MIME Protocol indicates how the MIME User Agent displays additional files. After dynamic parameter configuration, the attribute value of filename in action will be called, combined with the use of the automatic form filling feature of struts2 external parameters, this is definitely the implementation code of the simplest process (for normal developers, who will write a few more lines of code !), And this is a common function!




Note:
Return ServletActionContext. getServletContext (). getResourceAsStream ("/" + fileName); call the objects in the Servlet and use relative paths. You can only read files in this application!
And:
Return new FileInputStream ("absolute path" + fileName); When FileInputStream is used, the absolute path is used, causing Arbitrary File Reading!
// Strictly speaking, in addition to this security issue, this demo is well written and simple! However, it may also allow later users to implant "backdoors" in many applications "!