From: Henrique P. <hp...@gm...> - 2011-05-30 18:32:23
|
Hi Ramsey, Any progress on how to solve the encoding problem? I've been using the filename in the webpath which is causing a lot of headaches. I've tried to use the primary key, but it also has some bugs related to mime types and file extensions with the S3 processor. Cheers, Henrique On 28/05/2011, at 19:54, Ramsey Gurley wrote: > Cases where the current code doesn't work in my testing: > > input file name at file upload==resultant url after clicking ERAttachmentLink in safari > > some & copy.jpg==some%20&%20copy.jpg > some©.jpg==some©.jpg > > "><script>alert('xss')</script>==script> > > In the last case, I'm trying to be evil. Fortunately, the evil doesn't work, but the file name is still badly mangled as Mac OS turns that into > > "><script>alert('xss')<:script> > > Notice the / becomes :. My reverted patch will not fix that case, because everything before the : is gone before it even reaches the method I was mucking around in. Taking out the / with something like > > "><script>alert('xss')<hr> > > Doesn't work either. " becomes %22, so my primary concern is alleviated. Basically though, using ${fileName} in your webpath isn't really a good idea until there's a fix. I plan on filing a JIRA when I get done commenting on other issues (^_^) > > Ramsey > > On May 28, 2011, at 3:09 PM, Ray Kiddy wrote: > >> >> Has this kind of thing caused problems in the past? I thought it had. >> >> Was the problem that helper methods did url encoding or did not, and different callers relied on the behavior? >> >> Just wondering if all the edge cases were checked here. If there are edge cases. Or edges. >> >> - ray >> >> On May 28, 2011, at 2:55 PM, no...@gi... wrote: >> >>> Branch: refs/heads/master >>> Home: https://github.com/projectwonder/wonder >>> >>> Commit: 6913682052479ff26cdd95e698aad615197be5c8 >>> https://github.com/projectwonder/wonder/commit/6913682052479ff26cdd95e698aad615197be5c8 >>> Author: nullterminated <ram...@gm...> >>> Date: 2011-05-28 (Sat, 28 May 2011) >>> >>> Changed paths: >>> M Frameworks/BusinessLogic/ERAttachment/Sources/er/attachment/processors/ERAttachmentProcessor.java >>> >>> Log Message: >>> ----------- >>> File names need to be url encoded. Some examples of file names that >>> don't work... file names with spaces, file names with &, file names >>> with © or something else that can be mistaken as an html entity by >>> the browser. >>> >> >> >> ------------------------------------------------------------------------------ >> vRanger cuts backup time in half-while increasing security. >> With the market-leading solution for virtual backup and recovery, >> you get blazing-fast, flexible, and affordable data protection. >> Download your free trial now. >> http://p.sf.net/sfu/quest-d2dcopy1 >> _______________________________________________ >> Wonder-disc mailing list >> Won...@li... >> https://lists.sourceforge.net/lists/listinfo/wonder-disc > > ------------------------------------------------------------------------------ > vRanger cuts backup time in half-while increasing security. > With the market-leading solution for virtual backup and recovery, > you get blazing-fast, flexible, and affordable data protection. > Download your free trial now. > http://p.sf.net/sfu/quest-d2dcopy1_______________________________________________ > Wonder-disc mailing list > Won...@li... > https://lists.sourceforge.net/lists/listinfo/wonder-disc |