[WW-3873] file tag leaks server path information - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.3.4, 2.3.4.1
Fix Version/s: 2.3.15.1, 2.3.16
Component/s: None
Labels:
None
Environment:

Linux, weblogic 10-12, tomcat 7

Description

After a fileupload action, if the result jsp contains a <s:file> tag the value attribute is filled in with the server path where the file was saved. This discloses file system information about the server.

To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this

        <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
        	<result name="input">upload.jsp</result>
			<result>upload-success.jsp</result>
		</action>

to this

        <action name="doUpload" class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
        	<result name="input">upload.jsp</result>
			<result>upload.jsp</result>
		</action>

3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the full path to the file that was uploaded.

<input type="file" name="upload" value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp" id="doUpload_upload"/>

Workaround:
A workaround is simple, just add an empty value attribute to the file tag:

<s:file name="upload" label="File" value=""/>

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

file-leak.png
05/Sep/12 15:44
106 kB
Cam Morris

Activity

People

Assignee:: René Gielen

Reporter:: Cam Morris

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Sep/12 15:42

Updated:: 07/Jul/13 12:01

Resolved:: 07/Jul/13 12:01