5 Replies Latest reply on Oct 26, 2015 7:33 AM by michpetrov

Need help on rich:fileUpload issue on redhat

memain100 Oct 21, 2015 4:42 PM

I'm using rich:fileUpload in my application on redhat when I try to upload any file containing html code in file name i.e "file<img src=xyz onerror=alert('TEST')>Name.pdf", it gives me javascript alert before uploading the file. I tried it on live demo and found the same issue there as well. How can I restrict/escape execution of html/script or XSS in file name on redhat?

You can try it yourself by following steps on redhat.

Create a file with name "file<img src=xyz onerror=alert('TEST')>Name.pdf"
Access rich:fileUpload demo on richfaces showcase using below url.
Upload file and you will see a javascript alert.

http://showcase.richfaces.org:8000/richfaces/component-sample.jsf?demo=fileUpload&skin=blueSky

1. Re: Need help on rich:fileUpload issue on redhat

michpetrov Oct 22, 2015 8:12 AM (in response to memain100)

You can insert HTML and execute JavaScript from browser console, how is this different?
Actions
2. Re: Need help on rich:fileUpload issue on redhat

memain100 Oct 22, 2015 4:13 PM (in response to michpetrov)

Michal I understand your point, it is similar to that but on file select/upload cannot I validate/sanitize the file name?
I tried to validate the name on events like onadd, onfileselect, onfilesubmit, onbeforedonupdate but JavaScript in file name gets executed before these events are triggered.
Actions
3. Re: Need help on rich:fileUpload issue on redhat

michpetrov Oct 23, 2015 4:58 AM (in response to memain100)

You cannot do it. Why do you need to sanitize it? The fileupload doesn't enable users to do anything they cannot already do.
Actions
4. Re: Need help on rich:fileUpload issue on redhat

memain100 Oct 26, 2015 2:57 AM (in response to michpetrov)

My client gets code scanned from a security company, they found nothing except this and it has been reported as critical vulnerability.
Actions
5. Re: Need help on rich:fileUpload issue on redhat

michpetrov Oct 26, 2015 7:33 AM (in response to memain100)

If it were a security vulnerability it should've been reported and not discussed on a public forum.

Again, anyone can simply open the browser console and type $("<img src='xyz' onerror='alert(\"error\")' />").appendTo("body"). This is pretty much what the component does but it's easier to execute. The file list is temporary code (you can refresh the page to get rid of it), whatever a user puts in there affects only their "session". If the concern is about the filename being unsafe you can always check it in the upload listener, changing the client-side code to escape the filename wouldn't help with that.
Actions

Go to original post