A cross-site and a file canonicalization problems
Hi. I'm analyzing my code C# with CAT.NET Code Analysis and getting "Sanitize the file path prior to passing it to file system routines" message for File.Move(Path + "\\...
and a cross-site redirection vulnerability “Do not allow off-site redirections to absolute URLs that can be specified by the user” for Response.Redirect("file:" + Path + "\\...
Is there any solution to these problem? Thanks!
protected void Button1_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
else if (FileExt == "bb")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_bb\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
}
protected void Button2_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (Status == "New")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\New\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\New\\New_I
}
}
else if (Status == "Closed")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\Closed\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\Closed\\Cl
}
}…
and a cross-site redirection vulnerability “Do not allow off-site redirections to absolute URLs that can be specified by the user” for Response.Redirect("file:" + Path + "\\...
Is there any solution to these problem? Thanks!
protected void Button1_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
else if (FileExt == "bb")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
Response.Redirect("file:" + Path + "\\filepath_bb\\" + Status + "\\" + ListBox1.SelectedValue);
}
}
}
protected void Button2_Click(object sender, EventArgs e)
{
if (FileExt == "aa")
{
if (Status == "New")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\New\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\New\\New_I
}
}
else if (Status == "Closed")
{
if (ListBox1.SelectedValue == "")
{
Response.Redirect("Page1.a
}
else
{
File.Move(Path + "\\filepath_aa\\Closed\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\Closed\\Cl
}
}…
Who is Participating?
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
Try validating ListBox1.SelectedValue against the list used to populate it. This is to garantee that the user did not temper with the values. Maybe something like this:
Open in new window
If Path and Status also come from user input they need to be validated also.
I hope this helps.