Reputation:
Forbidding Java URL from fetching local files?
I have a Java web application that has functionality to fetch remote files using URL.
While I was testing the code I found out that it is possible for an anonymous user to read a local file by modifying the path of the file, /etc/passwd, to file URL schema, file:///etc/passwd, and the file will be read by URL, here is an example:
String remoteUrl = "file:///etc/passwd"; // some url we got from anonymous user
URL url = new URL(remoteUrl);
byte data[] = new byte[1024];
int length;
BufferedInputStream inputStream = new BufferedInputStream(url.openStream());
ServletOutputStream outputStream = response.getOutputStream();
// OR PrintStream outputStream = System.out;
while( (length = inputStream.read(data, 0, 1024)) >= 0 ) {
outputStream.write(data, 0, length);
}
Any suggestions on fixing this issue?
Upvotes: 1
Views: 138
Answers (2)
Reputation: 898
If your using URL, you can get the protocol from it. In that case you can just throw an exception if the protocol is "file" (or is not "http" depending on how restrictive you want to make it)
Upvotes: 2
Reputation: 1073
Execute this process under a user who has a restricted access to certain folders. This would be handled at the OS level and the OS will allow the process by the permissions defined.
Upvotes: 1
Related Questions
- Is it possible to prevent JVM from accessing specific URLs?
- How to prevent direct URL access of a file which is used in an Android app?
- Is it a security risk to show a path to a file inside WEB-INF java
- Java Security Risks for using URL class to get html source
- Local File Access via Web-Application
- Prevent File Access via URL in Java Servlet Webapp
- requesting a .java.policy file from URL security risk
- How do I prevent direct access of a jsp through a url?
- how to prevent users from directly access a file in a website by using its address
- How to protect a file so it can only be accessed by java?