Ansicht
Dokumentation
ABENDYN_FILE_SCRTY - DYN FILE SCRTY
Addresses (Business Address Services) CL_GUI_FRONTEND_SERVICES - Frontend ServicesThis documentation is copyright by SAP AG.
Directory Traversal
Physical file names can be specified as the content of a character-like data object in the statements and system class of the ABAP file interface. If some or all of this content originates outside of the calling program, there is a risk that files or file paths are accessed by unauthorized sources (this is known as directory traversal). The following are potential security risks when using input from outside to access the ABAP file interface:
- A file name used in the statements OPEN DATASET and DELETE DATASET originates either partly or in full from outside the program.
- A file name passed to the method CREATE_UTF8_FILE_WITH_BOM of the system class CL_ABAP_FILE_UTILITIES originates either partly or in full from outside the program.
To act against this security risk, the file names must be validated. This can be a self-programmed validation or the function module FILE_VALIDATE_NAME can be used. This function module checks whether a physical file name matches a logical file name or whether it is a valid directory. One prerequisite is that the matching file names or logical paths were created using the transactions FILE or SF01.
Notes
- If a program uses logical file names exclusively, instead of physical file names, the physical file names or paths required by the statements are constructed using the function module FILE_GET_NAME only. In this case, validation is not usually necessary.
- Alongside the validation of file names, adequate checks should be made on the authorizations for file access.
Example
See the examples under Validating File Names.
Addresses (Business Address Services) CL_GUI_FRONTEND_SERVICES - Frontend Services
This documentation is copyright by SAP AG.
Length: 2727 Date: 20240425 Time: 143148 sap01-206 ( 45 ms )