Reputation: 2564
Is it possible to upload a file with malicious filename?
Is it possible to send a http upload request a file to a Apache or IIS that will have a fileName with "../" or ".." that wouldn't be rejected and would be passed to php or ASP.Net engine?
Upvotes: 0
Views: 194
Answers (1)
Reputation: 36
Not really the way you are asking. By the time it gets to the server the browser has read the file and delivered it as a chunk of content with no information about where it came from other than the original file name which you can choose to use or discard.
Generally file uploads go into a temporary storage place (e.g. /tmp) and then need to be moved out of there to somewhere which you can control and name.
This storage is configured on the server, and so any attempt to put path info into the filename should also be blocked by the file upload implementation of the server which should sanitise the filenames again if the browser didn't already do so.
If there's a bug then all bets are off though.
Upvotes: 1
Related Questions
- How do I change the file name before sending to upload_file.php?
- PHP File upload security - keeping the original file name
- Uploading file with random name but missing extension
- Why save file with original name is dangerous in an upload?
- Php Upload File Without Rename
- HTML File Upload action - can this be hacked to spam endless file uploads
- is it possible to change the name of a file after it's been uploaded
- HTTP file upload: Can I rely on the browser always sending a file name?
- PHP upload filename
- Is it possible to use <input type="file"> just to post the filename without actually uploading the file?