Will the file name and contents uploaded by the user cause an attack on the server? Is there a possible security problem?

made a management system for government departments, and later asked us to rectify the hidden security problems. One of the requirements is that the file name uploaded by the user cannot contain special characters.

is it really possible to attack the server through uploaded files?


there is no doubt that "arbitrary file upload" is a type of vulnerability, and it is necessary to limit the uploaded files.
uploaded files that contain malicious code and are executed at the back end will often cause attackers to get WebShell.

you might think, what does this have to do with the file name? Yes, there is.
first of all, the code contained in the file name may also be executed.
second, special characters in the file name may invalidate your file upload check, such as CVE-2015-2348.

Respondent:
YvesX @ Chuangyu Front end


for example, send a ".. / test.jsp" file to the jsp site?

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1be4a22-30f68.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1be4a22-30f68.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?