Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Applications that must accept file uploads must ensure that an adversary cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges.

To upload a file, a typical JSP page consists of code such as

<s:form action="uploadAction" method="POST" enctype="multipart/form-data">
  <s:file name="uploadFile" label="Choose File" size="40" />
  <s:submit value="Upload" name="submit" />
</s:form>

 

Noncompliant Code Example

This noncompliant code example shows code from the interceptor of a Struts 2 application. 

p

 

Noncompliant Code Example 

 

p

 

Noncompliant Code Example

 

p

 

Compliant Solution 

 

p

Applicability

 

Bibliography

 


  

  • No labels