Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3873

file tag leaks server path information

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.3.4, 2.3.4.1
    • 2.3.15.1, 2.3.16
    • None
    • None
    • Linux, weblogic 10-12, tomcat 7

    Description

      After a fileupload action, if the result jsp contains a <s:file> tag the value attribute is filled in with the server path where the file was saved. This discloses file system information about the server.

      To duplicate:
      1) setup the struts2_showcase sample app
      2) change struts-fileupload.xml from this

              <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
              	<result name="input">upload.jsp</result>
      			<result>upload-success.jsp</result>
      		</action>
      

      to this

              <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
              	<result name="input">upload.jsp</result>
      			<result>upload.jsp</result>
      		</action>
      

      3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
      4. View source, in the input tag generated by the s:file tag you'll see the full path to the file that was uploaded.

      <input type="file" name="upload" value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp" id="doUpload_upload"/>
      

      Workaround:
      A workaround is simple, just add an empty value attribute to the file tag:

      <s:file name="upload" label="File" value=""/>
      

      Attachments

        1. file-leak.png
          106 kB
          Cam Morris

        Activity

          People

            rgielen René Gielen
            cmorris_partnet Cam Morris
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: