spring - Java SecurityManager to prevent .. directory usage -



spring - Java SecurityManager to prevent .. directory usage -

i want forbid spring webapp (running in tomcat) using file paths include ".." in them.

obviously first place @ points user info sanitized before beingness used in file paths. however, there hundreds of places in app file access , take quite lot of effort manually verify of them implemented correctly.

i'd add together or modify java securitymanager prevent filenames having ".." in them.

my first effort create own securitymanager , override methods checkread , checkwrite, turns out that's not sufficient. default implementation of methods appear disallow anyaway, suspect creating 1 scratch isn't way it's supposed done.

another possibility suppose utilize aspectj, if can create securitymanager work seems improve idea.

so, what's simplest thing can disallow ".." in filenames? there securitymanager implementations can install , utilize meant create webapps more secure?

using .. means using parent directory. utilize securitymanager check file allowed if within allowed directories:

@override public void checkpermission(permission perm) { if( perm instanceof filepermission ) { path path = paths.get(perm.getname()).normalize().toabsolutepath(); //todo: check path in 1 of allowed directories if( !path.tostring().startswith( myallowedrootdir ) ) throw new securityexception("not allowed"); } }

java spring tomcat securitymanager

Comments

Popular posts from this blog

php - Android app custom user registration and login with cookie using facebook sdk -

c# - Create a Notification Object (Email or Page) At Run Time -- Dependency Injection or Factory -

Set Up Of Common Name Of SSL Certificate To Protect Plesk Panel -