File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Security : Validating File Upload Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Security : Validating File Upload" Watch "Security : Validating File Upload" New topic
Author

Security : Validating File Upload

wai meng chan
Greenhorn

Joined: Jul 17, 2008
Posts: 4
Hi all, i am trying to get a gif upload implemented on a site. I know how to actually implement it, but my concerns are

how does a servlet prevent or protect itself against malicious file uploads?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42596
    
  65
The servlet engine only reads the uploaded byte stream and hands it to the servlet code (which presumably does nothing more than save it to disk). So I don't think there is much potential for trouble there.

If you want to make sure that it is a valid image file you'd have to try to open it, using javax.imageio.ImageIO or something similar, which is more problematic. You could do that under a ClassLoader and SecurityManager that implement very tight permissions (nothing more than reading a file from the directory where you store the uploaded files).


Ping & DNS - my free Android networking tools app
wai meng chan
Greenhorn

Joined: Jul 17, 2008
Posts: 4
actually will need to process gif files which will be displayed on web page. Anyway to validate file types to be only gif files when they uploaded?
[ July 28, 2008: Message edited by: wai meng chan ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42596
    
  65
The ImageInfo class can do that.
srinivas srinivasmeenavalli
Ranch Hand

Joined: Jul 13, 2008
Posts: 65
I think web serevr would take care of malicious file uploads.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42596
    
  65
Originally posted by srinivas srinivasmeenavalli:
I think web serevr would take care of malicious file uploads.


No.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

If you really want to check for virusues, you can delegate to the host machine for this. If the server your servlet container is on has an on access virus scanner, it is easy enough to persist the uploaded file to disk then read it back. If the virus scanner quarentines the file, you will not be able to read it. Its tricky to convey to the client what has gone wrong this way however.
[ July 28, 2008: Message edited by: Paul Sturrock ]

JavaRanch FAQ HowToAskQuestionsOnJavaRanch
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security : Validating File Upload