While decompiling the latest Facbook Messenger app com.facebook.orca_230.0.0.12.117 (169378234) I encountered an messages on path traversal attacks that looks like a false positive:
Path traversal attack detected, invalid name: r/con.g.png
It seems that the path traversal detection system does not work reliable on Windows in case the file name starts with a con (which is a reserved word on Windows and can't therefore be used as a file name).
The canonical value of a path containing such a file always is converted to \\.\con.
From my understanding this may be a bug in Java (tested with Oracle Java 1.8 and OpenJDK 11.0.4).
Is there anything we can do about this?
While decompiling the latest Facbook Messenger app com.facebook.orca_230.0.0.12.117 (169378234) I encountered an messages on path traversal attacks that looks like a false positive:
It seems that the path traversal detection system does not work reliable on Windows in case the file name starts with a
con(which is a reserved word on Windows and can't therefore be used as a file name).The canonical value of a path containing such a file always is converted to
\\.\con.From my understanding this may be a bug in Java (tested with Oracle Java 1.8 and OpenJDK 11.0.4).
Is there anything we can do about this?