Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Java questions...
From: Mikael Olsson (mikael.olssonENTERNET.SE)
Date: Sat Aug 05 2000 - 11:50:37 CDT

Joe Testa wrote:
> I wonder if there exist any weaknesses in Java's
> File and String classes that could be exploited to subvert my
> 'isSafe()' method. Maybe there is something that could mimick the
> null-byte problem that PERL's 'open()' call has? Any Java wizards have
> any ideas?

I don't know the first thing about Java's internal workings, but one
suggestion here might be that you be really anal about paths that
you approve:

Any URL containing /.. or \.. should be thrown away. REMEMBER to do your
decoding of escaped characters BEFORE you test this, lest you fall prey
to the same vulnerabilities that many others have before you.

You could be even more anal and restrict your set of characters to
"a-z", "A-Z", "0-9", "." and "_"; I don't think it would cause
any problems, except if you start serving up odd files with
spaces in them (YUCK!) and stuff like that. This is a good
measure, since you can't know what your underlying OS is
going to do to oddball characters like \0xff and company, or
wildcards for that matter. What if you run it on some
operating system that parses "/webroot/?./secret_files/" as
"/webroot/../secret_files", without your java engine knowing
about it? Okay, "?" should be treated separately, but consider
"/webroot/*./secret_files" then.

Also, you might want to consider checking for double "/" characters
("//", "\\", "/\", "\/") so that the underlying operating system
doesn't parse them as "start over at the root" or something stupid
like that, that the Java engine doesn't know about.

And another thing: Does the Java engine know about "..."? If it
doesn't, and your OS parses it as "..\..", you'd be into a lot
or problems. Checking your path for "/.." and "\.." would take
care of that.

Then, after these tests, do your "is it inside the webroot?" check.

Uhm. I can't think of any other paranoia checks right now :)


Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olssonenternet.se