PeopleSoft Adoption Made Smooth & Simple!
On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool. Claim Your Free WalkMe Account Now
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
A cross-site and a file canonicalization problems
Posted on 2011-03-04
Hi. I'm analyzing my code C# with CAT.NET Code Analysis and getting "Sanitize the file path prior to passing it to file system routines" message for File.Move(Path + "\\...
and a cross-site redirection vulnerability “Do not allow off-site redirections to absolute URLs that can be specified by the user” for Response.Redirect("file:" + Path + "\\...
Is there any solution to these problem? Thanks!
protected void Button1_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
else if (FileExt == "bb")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_bb\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
}
protected void Button2_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (Status == "New")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\New\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\New\\New_I
}
}
else if (Status == "Closed")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\Closed\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\Closed\\Cl
}
}…
and a cross-site redirection vulnerability “Do not allow off-site redirections to absolute URLs that can be specified by the user” for Response.Redirect("file:" + Path + "\\...
Is there any solution to these problem? Thanks!
protected void Button1_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
else if (FileExt == "bb")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_bb\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
}
protected void Button2_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (Status == "New")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\New\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\New\\New_I
}
}
else if (Status == "Closed")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\Closed\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\Closed\\Cl
}
}…
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2 Comments
I think your ListBox1.SelectedValue variable is causing the problem.
Try validating ListBox1.SelectedValue against the list used to populate it. This is to garantee that the user did not temper with the values. Maybe something like this:
If Path and Status also come from user input they need to be validated also.
I hope this helps.
Try validating ListBox1.SelectedValue against the list used to populate it. This is to garantee that the user did not temper with the values. Maybe something like this:
Dim validValues As HashSet(Of String)
Dim selectedValue As String
selectedValue = validValues(ListBox1.SelectedValue)
...
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + selectedValue);
If Path and Status also come from user input they need to be validated also.
I hope this helps.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article describes a simple method to resize a control at runtime. It includes ready-to-use source code and a complete sample demonstration application. We'll also talk about C# Extension Methods.
Introduction
In one of my applications…
Summary:
Persistence is the capability of an application to store the state of objects and recover it when necessary. This article compares the two common types of serialization in aspects of data access, readability, and runtime cost. A ready-to…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface.
Change Cu…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you!
In this Micro Tutorial, you'll learn yo…
- Microsoft Applications
- Windows 10
- Windows OS
- Fonts Typography
- Windows 7, Microsoft Word
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month3 days, 15 hours left to enroll
630 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.