How to escape user-entered filenames

Hello,
I have a java app where the user enters the name of the file to load.
However, I only want them to load the file from THAT PARTICULAR DIRECTORY.
I understand that there is a danger that they might enter a filename like this "../../../etc/passwd"
Is there a fool-proof method of checking to make sure that the file is in that directory? or perhaps encode the filename using some utility?
Here is how I load the file:
File file = new File(sourceDir + "/" + sourceFilename);
if (!file.exists()) return null;
fstream = new FileInputStream(file);
In this case, sourceDir is the directory where I keep the files that I allow them to load.
Thanks!

Create a File object from whatever the user entered. Create another File object from the directory which you are restricting the user to.
Then use the getParentFile() method of the user's File object repeatedly. If it's ever equal to the File object of your directory, it's good. If it's ever null, it's bad.

Similar Messages

  • How to use User entered dates in intreval

    Hi,
    User will enter date range in variable
    As per my requirment i want to use no of days between those 2 user entered dates in my calculaction
    How can i achieve this at report level.
    Thanks

    Hi
    Create a variable with intreval.
    There is a function module which calculates the no of days between the days
    Go to SE38 and ZXRSRU01 Program
    Write the Code like this (Not exact code)  you can modify
    WHEN "ZZZZZ"(Before that create a formula variable to get the number of days between the days and use the tech name of the formula variable here)
    read ..the lower limit and the upper limit of the caldaz variable
    FROMDATE = L_S_RANGE-low
    TODATE = L_S_RANGE-HIGH
    Then call the function module
    Search for the function module by using days in SE37
    Then pass the from and to Date to the function module it will retun the number of days
    update that to table e_T_Range
    You can proceed with this
    Regards
    M.A

  • How to handle user entered data validation

    Hi,
    In my page i have three fields
    Empname (String)
    Empnumber (Number)
    DOB (Date)
    These fields are mapped to VO which are mapped to EO.
    When user enters string in Empnumber field then it will throw user following Error "Cannot create an object of type:oracle.jbo.domain.Number with value hghfg"
    I want to display above Error in user friendly fashion.
    Where to do this and How to do this?
    And i have one more question
    can we handle all the exceptions in seter method of EOIMPL?
    -Thanks
    Mithun

    Sumit,
    I have set 'Disable Client Side Validation' in the property inspector true for submit button. Added below code for validation
    In CO
    String lb_flag= (String)am.invokeMethod("validateRVSize",prm1,prmType1);
    In AM
    public String validateRVSize(String val)
    String values = "1234567890' ";
    for (int i=0; i < val.length(); i++)
    if (values.indexOf(val.charAt(i)) < 0)
    return "false";
    return "true";
    but what i have observed is control is not at all coming to process form request. it is doing it's validation in processformdata itself, i suppose.
    because no statement is getting printed if i had entered characters in number field.
    -Mithun

  • How to keep user enter value in textbox even if JSP page get refreshed.

    Hi Experts,
    In My JSP Page i have one text(customer Name) and number of checkboxes and radio buttons.
    My Problem is:
    if user enter some value in Text Box and after that user clicks on some radio button becouse of some action on radio button page get refresh and also the value enter by user in text box get vanish.
    I want keep text box value as it is even if page get refreshed becouse of some action.
    Is it any setting in Strust framework for this.
    I am using Struts Framework.
    Please let me know if need more information

    Sorry, I don't clearly understand the question and the horrible code (Java code doesn't belong in JSPs) doesn't make it more easy to understand.
    Best what I can guess is that you need to learn about passing request parameters/attributes in JSP and the possibilty of storing attributes in the session. And based on the code, also learn how to separate the data, business and presentation layers properly.

  • How to Get User entered value in a text variable

    Hi,
    I have made a text variable to show the user entered value in the column header.
    The user enteres value in a formula variable ABC whose default value is say '30'.
    I am using customer exit to capture this value in the text variable. The code is as follows
    IF i_vnam EQ 'txtvar'.
    if i_step = 2.
    LOOP AT i_t_var_range INTO loc_var_range
    WHERE vnam = 'ABC'.
    CLEAR l_s_range.
    l_s_range-low = loc_var_range-low.
    l_s_range-opt = 'EQ'.
    l_s_range-sign = 'I'.
    APPEND l_s_range TO e_t_range.
    EXIT.
    ENDLOOP.
    endif.
    endif.
    Now when I am executing the query I am getting the default value in the column header i,e, 30. But when the user changes this default value to something else while executing the query, I simply get blank in the column. The changed value is not getting captured in the text variable.
    Thanks

    Hi,
    Insted of  going for exit,
    just create a Text variable proceesing typr Default/ Manual Entry and set the default value as u wish,
    use it in the KF header; dont use the same Text Variable for Query Title.
    Now i tried this for you and it is working fine.
    Regards
    ReddY A

  • How can a user enter data as many it was specified for??

    I am writing a program that makes calculations on data entered by the user. First I ask the user how many inputs he/she wants. And my problem is how the user can enter as many input he/she asked for. How do I make the program ask for input more than once, before I do calculation on the entered data???
    I am sorry if my english is hard to understand, but I hope this was understandable.

    I think you should use a readInt() if you have such a method in your Keyboard class to ask for the numbers.
    Then create a float array with that many elements, and use the for-loop you have shown:
    for (...) {
      numbers[ i-1 ] = Keyboard.readFloat(); // numbers is a float array
      // if you let i go from 0 to i < tall, then you don't need to subtract 1 from i.
    }

  • How to compare user entered date with current date

    Hi all
    my requirement is, user allowed select one date, in code i have compare this date with current day date. it should be 15days gap other wise display error message.
    I am worried about how to get current date in code. Is there any code to get current date. please reply me with code or mail me at [email protected]
    Thanx
    keerthi

    Keerthi,
    Use the method <b>getDifference()</b> of the DateHelper.java available here.<a href="http://www.koders.com/java/fid14A61FEB1B45A64E42E1DCAD7070B46AE46340BA.aspx">DateHelper</a>
    1. Create a new folder, say Util under your src folder. (com.xyz.util)
    2. Put this DateHelper.java file in that folder,(com.xyz.util) .
    3. Now, write an import statement for this java class in the required view.
    4. Use the getDifference() method of this class to the difference in days between two days.
    Or
    Simply use this code.
    // Get msec from each, and subtract.
    long diff = currDate.getTime() - selectedDate.getTime();
    int noOfDays = diff / (1000 * 60 * 60 * 24);
    where currDate is today's Date and selectedDate is the Date selected by the User.
    Bala

  • How to run user enter value query and get result on Text item

    Hi ,
    I'm really newbie at JDeveloper and ADF , I want to run the query below , before with Forms i just adding :TEXT_NAME to get the entered users value , what I have to do now with ADF , really it's not clear question and I would appreciate any help with this ,
    select
    nvl(min(substr(a.starttime,1,8)),0) Service_Start_Time, nvl(sum(a.sessionvolume),0) Total_Traffic_KB
    FROM
    aaa_bill a
    where
    msid=:TEXT_ITEM
    and starttime >=(select max(fee) FROM aaa_bill
    where msid=:TEXT_ITEM and accountreason=5) ;

    You can use a ADF parameter form for this requirement.
    https://blogs.oracle.com/shay/entry/combining_multiple_queries_and

  • How can a user enter a value in the field which is in read mode.

    Hi all,
          I am creating a badi for the valuation class.when ever i execute the mm02 transaction.if an invalid valuation class is entered,my error message is poping up.but it is coming in the display mode.i should get the valuation class field in the read mode.
    Regards,
    charita.

    Hi Charita,
    Use information message instead of Error message.Then it will not give u that field in non-editable mode.
    <b>Reward points if it solves ur query or answer is helpful</b>
    Thanks
    Chinmay

  • How to allow user enter invoice batch wise

    Dear,
    IN R12, How can we mark invoice to be created only batch wise in oracle Payable manager.
    thanks.

    Please set the profile AP: Use Invoice Batch Controls to Yes and retest.
    Thanks
    Pradeep

  • JavaServer Faces: How-to avoid users entering application URLs directly

    Hi Frank,
    I have read your article and implement it but have problem in redirecting the user to the login page... the code snippet is:
    if (((HttpServletRequest)request).getMethod().equalsIgnoreCase("GET") &&
    !isAllowedPage(request)){
    HttpServletResponse oResponse =null;
    oResponse.sendRedirect("Login.jsp"); [But it not worked]
    chain.doFilter(request, response);
    Please help me... (what code to write for redirection)

    I have used basic authentication but when the login/pwd window appears. I pass the user/pwd and following message appears
    You are not authorized to view this page
    You might not have permission to view this directory or page using the credentials you supplied.
    My Web.xml file look like this.
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>adfAuthentication</web-resource-name>
    <url-pattern>/adfAuthentication</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>oc4j-administrators</role-name>
    </auth-constraint>
    </security-constraint>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>empprofile</web-resource-name>
    <url-pattern>faces/empprofile/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>admin</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>jazn.com</realm-name>
    </login-config>
    <security-role>
    <role-name>oc4j-administrators</role-name>
    </security-role>
    <security-role>
    <role-name>admin</role-name>
    </security-role>
    <resource-ref>
    <res-ref-name>jdbc/OracleDBConnectionDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    </resource-ref>
    My jazn-data.xml file look like this
    <?xml version = '1.0' encoding = 'windows-1252' standalone = 'yes'?>
    <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-10_0.xsd"
    filepath="" OC4J_INSTANCE_ID="">
    <jazn-realm>
    <realm>
    <name>jazn.com</name>
    <users>
    <user>
    <name>amir</name>
    <credentials>{903}hy9JMGVS8lau4hu2OhJWv8YgglfpgRR2</credentials>
    </user>
    </users>
    <roles>
    <role>
    <name>admin</name>
    <members>
    <member>
    <type>user</type>
    <name>amir</name>
    </member>
    </members>
    </role>
    </roles>
    </realm>
    </jazn-realm>
    </jazn-data>
    My orion-Application file look like this
    <?xml version = '1.0' encoding = 'windows-1252'?>
    <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
    <jazn provider="XML" default-realm="jazn.com"/>
    </orion-application>

  • Interactive Report - comparing user entered text field against a table field - the comparison is not finding a hit when it should.

    Example
    User enters 12345 in a pre filter ----- item_number field and this value exist in the table but its defined as VARCHAR2(2000).
    No match is found.  Do I need to define this text field in a certain way so that a match occurs - say in the element or source for P1_ITEM_NUMBER.
    How does a user entered value of 12345 match a value in the table of 12345 - defined as a varchar2(2000).
    Thanks  

    Why are you storing numbers in a varchar2?
    This is bad designing.  (storing date information in a varchar2 field is even worst.)
    99% of the time, when the number 12345 does not match the string '12345', it is because the value in the table is actually '                         12345'
    Run the following SQL command in the SQL workshop.  (you'll need to adjust to match schema,table,column names)
    select item_number, length( item_number) as string_length
    from schema_name.table_name
    If '12345' does not have a string_length of 5, then you have bad data in your database.

  • Clearing out user entered variables

    I have a BI 7.0 query that displays materials that have not moved in 'X' number of days.
    1. My variable screen shows "No movements since <blank>". The user enters a number in this variable (ZV_NUM_DAYS)
        e.g. 90.
    2. I created a variable (not ready for input) on the movement_date field. This variable gets populated by a range of dates based on the "Number of Days" entered by the user in I_STEP2 of the variable exit.
    eg. LOW = 19000101
          HIGH = SY-DATUM - the value from user entered variable
    I still need to clear out the user entered variable ZV_NUM_DAYS so that a filter of '90' does not get applied to the cube.
    I cannot clear out ZV_NUM_DAYS in I_STEP2 as it is user entered. I tried doing so in I_STEP3 - clear out E_T_RANGE for the variable. The debugger shows me E_T_RANGE cleared out however it still sets the filter of '90' in the cube.
    Any thoughts on how to clear user entered variables ?
    Regards,
    - Ash

    Thanks for your responses.
    @Arunkumar - could you please elaborate on this option ? I don't know of a way to create variables on key figures.
    @Dennis - I tried turning the cache off - no effect. Turns out when I change e_t_range values in STEP3, it does not save the change somehow. Although the debugger displays the modified table data.
    Regards,
    Ash

  • How to clear the data in my page after user enter submit button

    hi......
    how to clear the data's in my page after user enter submit button. Actually while pressing first time itself the data is uploaded in database.

    Hi Nazeer,
    Instead of doing it on the same button better create a separate button for this functionality, As per my understanding you want to clear these fields to create new record so that you can enter a new record so for this you just need to insert a new row in VO.
    Still if you want to do it on the same button then you need to put the check that particular record is not dirty if it is not then create new record else create new record.
    One more thing if you will clear on the second click of a button how will you update your record??
    Regards,
    Reetesh Sharma

  • How To Allow User To Enter "$" In A Number Field

    I have a form that includes various numeric fields in which the user should enter dollar values. It works fine if the user enters a number WITHOUT a dollar sign. Suppose the user enters "1234", the field will display "$1,234.00", which is exactly what I want. However, if the user decides to change the value, clicks on the field, and replaces the "00" with "56" then when they leave the field it will display "$0.00". I've figured out this is because they left the dollar sign in the field when editing.
    So, how can I fix the validation or other settings so that someone could enter "$1234" and have it show "$1,234.00" instead of "$0.00"?
    Thank you!
      Mike

    Hi MJD729,
    Have you applied patterns on the numeric field? select pattern like $1,234.21 in Display and Edit TAB of Patterns- Numeric Field dialog box and then check.
    Regards,
    Ratnesh

Maybe you are looking for

  • Can't install Oracle 8.1.7 on Redhat 7.2

    Please, I have a problem, as i told in the subject. I ran the runInstaller script from the oracle Cdrom but the OUI doesn't appear. After a ps in the command line i see that jre and runInstaller are running. Any idea ?

  • Power button not working on TV -DVD

    Green power light stays lit, but power button does not work on TV with DVD player, model number 23HLV87. Set was purchased in 2008.  Also, beeping sound soon after power comes on.

  • Can't see my image/logo on my podcast yet.  Been about 10 days.

    Can someone verify it is getting through? I use Go Daddy Quick Blogcast so I am not coding, but simply filling in blanks.  Image is the proper size and format and all.  http://admin-training.com/podcasts-only/rss2.aspx Thank you!

  • Workflows : Unable to call a report from a Default Method of Business Objec

    Hi, Good afternoon. Well, we had a requirement where a Business Object's Default method should call a report which in turn calls a User Defined Screen(Call Screen 100 say...) which had a Text Control with one OK button. In this requirement, I had cre

  • Photoshop 7- Crashing when opening a new document

    Hi All, Was working with a document when it crashed. The file now opens fine, but if I try and create a new document it crashes. I don't get any error message, it just removes my options to do anything but still looks like its operating fine, wont te