All geek questions in one place

CfContent is limited to a folder

The application stores daily reports in a common way. Our application generates a URL linking it to excels as

http://application/ExcelTask/Index.cfm?type=Report&fileName=Report_Mar2014.xlsx

with cfm code like

<cfif FileExists("#filePath#")> 
    <cfheader name="Content-Disposition" value="inline; filename=""#URL.fileName#"""> 
        <cfcontent type="application/vnd.ms-excel" file="#filePath#">
</cfif>

What we learned, if users know about our directory structure, cfm files can be loaded using URL injection, for example

http://application/ExcelTask/Index.cfm?type=../ExcelTask&fileName=Index.cfm

I can add a condition only for permissions of only files like xls and xlsx, but it looks like plan B.

Any ideas on how to restrict access to the folder?

+4
source share
1 answer

Use basic data disinfection skills to clean and validate your URL.typeand URL.filename.

  • some replaceAll code to fix ../or
  • try isValid ("regex", some regex pattern ...)

, / .

+4

Source: https://habr.com/ru/post/1533641/

More articles:


All Articles