Hacker News new | past | comments | ask | show | jobs | submit login

Any program that uses filenames as keys (and there are many) can have this vulnerability if the input validation has a weakness.

That's why things like upload sites usually ignore the provided file name and generate their own (unique) one, or else limit it to a very safe subset like [0-9A-Za-z_]




The POSIX portable filename character set is:

  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
  a b c d e f g h i j k l m n o p q r s t u v w x y z
  0 1 2 3 4 5 6 7 8 9 . _ -
Additionally:

* The slash `/` is portable as a separator.

* The filename should not be empty

* The filenames `.` and `..` are special. (in many contexts it's reasonable to exclude all components that start with a dot)

* The filename should not start with a `-`

* The entire path should be no more than 256 bytes and no component should be more than 14 bytes (widely ignored since we assume modern filesystems).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: