Is string concatenation vulnerable to null character in aspx?

Question

I just see this line of code in VB in one file .aspx

FileUpload.SaveAs(sPath & "/" & FileUpload.FileName)

This line save a file that an user uploaded. It use the SaveAs method. I was worried about the sPath because the user can edit it.

The user can only save image, so it check the filename extension. I thought someone can use a null character to save another file, like:

/path/evil.aspx0x00/image.jpg

Fortunately, this don't work. But is there another way to manipulate? Can someone send another way of null character?

-- Edit

As far I know, I list this types of null character

• 0x00
• %00
• /0
• /x0
• �
• �

There is more?

--Edit 2

Lol, this list give more types of null character

Answer 1

FileUpload.FileName is fully user-specified. It can contain "/../" and other similar path escape sequences, so you can't trust it.

If you're saving the file to disk, the best thing to do would be to ignore the user-provided filename and to create your own guaranteed safe filename instead. For instance, you could generate a new GUID to accomplish this. If you absolutely must use the user-provided filename, consider restricting it to only { alphanumeric characters, hyphen, underscore, period } and enforce that the filename must begin and end with an alphanumeric character.

Answer 2

In a file upload mechanism a few things should always be considered to be checked, basic checking on file extensions only is not sufficient enough in my opinion.

1. File header checking: Read the first few bytes of the file and determine if it is an image or not.
2. Convert the image: If step 1 is successful, convert the image to a format other than the uploaded format. This is to delete possible malicious code in images.

As far as your question regarding nullbyte injection: Besides 0x00, %00 can also be used in file names, for example:

/path/evil.aspx%00.jpg

I doubt this will work in ASPX but depends on your configuration.