ring Handling invalid file names in multipart middleware

Handling invalid file names in multipart middleware

Open expez opened this issue 7 years ago • 1 comments

I just spotted this stracktrace in our logs, as someone tried to mess with our servers:

  	org.apache.commons.fileupload.InvalidFileNameException: Invalid file name: DwldYyIuSimpleASP6qrV.asp\0.svg
	at org.apache.commons.fileupload.util.Streams.checkFileName(Streams.java:189) ~[acme-1.56.33-standalone.jar:na]
	at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl$FileItemStreamImpl.getName(FileUploadBase.java:829) ~[acme-1.56.33-standalone.jar:na]
	at ring.middleware.multipart_params$parse_file_item.invokeStatic(multipart_params.clj:86) ~[acme-1.56.33-standalone.jar:na]

I'd prefer returning a 400 response, with a message about an invalid filename, but I can't see a way to do that, so this results in a 500 catch-all response. Am I missing something?

If not, would you welcome a PR?

Aug 21 '18 09:08 expez

You can wrap the middleware in other middleware that catches that specific exception, but you're right that it should result in a 400 error rather than a 500 error. A PR would be welcome.

Aug 21 '18 12:08 weavejester

ring ring copied to clipboard

Handling invalid file names in multipart middleware

ring
ring copied to clipboard