Server: please check for security problem

[smuellerDD]

This is a friendly reminder as the server behaved differently than I expected. The seen behavior seems to indicate a security issue, but due to the lack of insight, I may be off track.

When uploading files with the multi-form POST operation, one as to provide a file name. Due to an error on my side I accidentally provided a file name that contains path components, e.g. foo/bar/baz.bin instead of baz.bin.

The server happily accepted the upload and thus the file name. I would have expected a rejection. Thus, I would recommend to check the server code that such arbitrary path names do not pose a security hazard (e.g. pointing to absolute paths or using .. in its various forms including UTF-8 / UTF-16 or other encodings).

[celic]

Good thought. At the moment, I don't think we capture the original filename provided by users. I believe everything is stored under the supporting documentation ID. This might make it harder for files to point to each other during review though. Our original thought was that the supporting documentation should be as consolidated as possible.

I will double check on the security aspect with our other developers though.

[celic]

Confirmed, the filename is not recorded in any way from the user. This may make it more difficult to talk about other files in the same package, as any human won't have a way of knowing which file is which without opening them.

[smuellerDD]

ok, then my concern is not warranted :-)