Show TOC

Procedure documentationValidating Physical Filenames Entered by the User Locate this document in the navigation structure

 

Use function modules FILE_GET_NAME and FILE_VALIDATE_NAME to validate physical filenames and counter the threat of filepath traversal.

There may be RFCs or other interfaces that also accept physical filenames as part of APIs.

Procedure

  1. In customizing, create a logical path to specify the operating system dependent physical path to where you want to allow the user to create filenames.

    SAP delivers a default logical path TMP to temporary directories on UNIX and Microsoft Windows operating systems.

  2. Create a logical file of data format DIR (directory) that uses the logical path you created in the previous step.

    Caution Caution

    You need the logical file of type directory in case the filename of the user is not absolute. If the filename is relative filename, the application server uses the working directory specified in profile parameter DIR_HOME, unless you put the target directory in front of the relative path before calling FILE_VALIDATE_NAME.

    End of the caution.

    Example Example

    For example, use Change View "Logical File Path Definition" (transaction FILE) to create a logical file ZMY_OUTDIR with the following values.

    Values for Logical File ZMY_OUTDIR

    Attribute

    Value

    Logical file

    ZMY_OUTDIR

    Name

    Directory to place files for user data.

    Data format

    DIR

    Logical path

    TMP
    End of the example.

  3. Define a constant logical filename to be used for filename validation.

    For each parameter for a physical filename in your application create one constant of type FILEINTERN (logical filename). Depending on the context of the file access, this constant can be a global constant within a program, local within a specific part of a program, or defined in a type pool for use across multiple programs.

    Set the value of this constant to the logical filename used for filename validation in this context.

    Syntax Syntax

    1. CONSTANTS lc_log_fname LIKE FILENAME-FILEINTERN VALUE 'ZMY_OUTDIR'.
    End of the code.

  4. Create a default value for the physical filename.

    Create a default value for the physical filename, if applicable, by calling the function module FILE_GET_NAME with the parameter INCLUDING_DIR set to 'X' (for example, during INITIALIZATION).

    Syntax Syntax

    1. INITIALIZATION. *Get the path where the files should be placed from the configuration
  CALL FUNCTION 'FILE_GET_NAME'
    EXPORTING
      LOGICAL_FILENAME = lc_log_fname
      INCLUDING_DIR    = 'X'
    IMPORTING
      FILE_NAME        = lv_defaultpath
    EXCEPTIONS
      OTHERS           = 1.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE 'I' NUMBER sy-msgno
    WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.
    End of the code.

    Caution Caution

    You must catch the exception and change the message type to avoid the program aborting with a message. FILE_GET_NAME raises the exception with message type E, which is converted to message type A during PBO.)

    End of the caution.

  5. Check for a relative path.

    The function module FILE_VALIDATE_NAME always checks absolute filenames with specified paths. If a relative filename is passed for checking, the default path is implicitly added as a prefix to DIR_HOME in accordance with the profile parameter, DIR_HOME.

    Syntax Syntax

    1. AT SELECTION-SCREEN
* Check whether the filename is a relative one 
  IF  cl_fs_path => create (  pv_fname  ) ->is_relative ( ) =  abap_true .
    " Filename is a relative one, put the default path before the filename
    " We also need to check in this case, as '/tmp' + '../etc/test.txt' is still outside /tmp
    lv_full_name  =  lv_defaultpath && pv_fname .
  ELSE .
    " Filename is already absolute, just use it.
    lv_full_name  =  pv_fname . 
  ENDIF .
    End of the code.

  6. Validate input.

    Validate the physical filename supplied by the user on the screen where the filename was entered (for example, during AT SELECTION-SCREEN). This ensures that the program returns an error if the filename is invalid immediately and the user can adjust the filename as necessary. If the program performs a lot of its logic before the filename is validated, and the validation returns an error, the processing time and the use of system resources was unnecessary.

    Syntax Syntax

    1.   CALL FUNCTION 'FILE_VALIDATE_NAME'
    EXPORTING
      logical_filename           = lc_log_fname
    CHANGING
      physical_filename          = lv_full_name
    EXCEPTIONS
      LOGICAL_FILENAME_NOT_FOUND = 2
      VALIDATION_FAILED          = 1
      OTHERS                     = 4.
 
 IF  SY - SUBRC <>  0.
   IF  SY - SUBRC >  1.
     MESSAGE ID sy-msgid  TYPE  'A'  NUMBER  sy-msgno
       WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
   ELSE .
     MESSAGE 'The filename >' && pv_fname && '< is not valid, please try again.' TYPE 'E'.
   ENDIF.
 ENDIF.
    End of the code.

    Caution Caution

    If the filename might have changed or you are operating in a function module and cannot be sure if the filename has been validated, validate the filename again directly before the OPEN DATASET or related statement.

    Be careful about how you process error messages from FILE_VALIDATE_NAME. For example, the recommended procedure for handling error messages for a report is to show the message as an I or an S message and then exit the program in such a way that the user is returned to the selection screen, if possible. If you send an E or a W message, the program aborts and the user has to start over by calling the corresponding transaction or program again.

    End of the caution.

More Information