违反安全规则 - Fortify的，MVC [英] Security violation - Fortify, MVC

问题描述

我使用HP Fortify的解决我的应用程序的安全问题。
我有一块code作为下面这Fortify的抛出错误的。

I am using HP Fortify to address the security issues in my application. I have a piece of code as below for which Fortify throws an error.

在Fortify的结果表示：

The Fortify result says:

该方法DownloadAttachment（）在 文件名的的.cs包括未验证
  上线HTTP响应头数据的的 lineNo的的。这使攻击
  如缓存中毒，跨站脚本，跨用户污损，
  网页劫持，饼干操纵或打开重定向。

The method DownloadAttachment() in fileName.cs includes unvalidated data in an HTTP response header on line lineNo. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

code -

    public ActionResult DownloadAttachment(string fullFilePath)
    {
        var bytes = System.IO.File.ReadAllBytes(fullFilePath);
        return File(bytes, MimeMapping.GetMimeMapping(fullFilePath), Path.GetFileName(fullFilePath));
    }

什么是威胁，在这里和如何解决这个问题？有什么建议？

What is the threat here and how to address this? Any suggestions?

推荐答案

HP是正确的，这是一个问题，但不是他们的方式在说 - 这里的威胁是，你有一个操作方法将加载任何文件的Web服务器可以读取并让访客下载。这很容易导致其他的攻击取决于有人下载什么，你的网络设置。

HP is right this is a problem but not in the way they are saying -- the threat here is that you've got an action method that will load any file the web server can read and let a visitor download it. This could easily lead to other attacks depending on what someone downloaded and your networking setup.

您需要做的是处理附件多一点认真，少了几分一般 - 这可能是只是把文件名作为参数，并在寻找例如给定文件夹

What you need to do is handle attachments a bit more carefully and a bit less generically -- this could be just taking the file name as a parameter and looking in a given folder for example.

这篇关于违反安全规则 - Fortify的，MVC的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！