ARTICLE
Validation of File Names
Alongside the automatic authorization
checks , it may be necessary to validate field names before they are
used. This is particularly important if
the automatic authorization checks are not enough, for example because
the database table SPTH or the authorizations for the
authorization object S_DATASET have not been defined in full.
programs with physical file names
are used, and these file names are provided using external interfaces
such as API s or UI .
Using Logical File Names
File names do not usually need to be validated if a program is
consistent in using only logical file
names created by the system administrator in the transactions
FILE or SF01 . The set of
logical file names available to an application then defines the set of
possible physical file names in a whitelist . The associated
physical file names are not edited explicitly in the program. Instead,
the function module FILE_GET_NAME
is used to generate the physical file name from the logical file name
directly before it is used in a
statement of the file interface and used for file access.
Using Physical File Names
If a program uses physical file names
, then the name almost always needs to be validated.
Self-Programmed Validation
If valid directories and file names are defined precisely (as is often
the case in programs from the technical infrastructure), a validation of
this nature can be skipped easily. The following can be used, for
example:
Methods from character string processing ,
Methods from class CL_ABAP_DYN_PRG
for checking whitelists ,
Methods in the class CL_FS_PATH
Logical File Names as a Whitelist
In many cases, directories and file names are generic, and are
predefined by the system administrator when configuring the system. They
can be modified or enhanced while the system is running. In these cases,
the concept of logical file names should be employed when handling
physical file names explicitly.
As in the case above, where a program uses only logical file names, the
associations between logical and physical can also be useful when
handling physical file names as a whitelist . As long as the list
of logical file names is complete, the function module
FILE_VALIDATE_NAME can be called
before a file is accessed. This module checks whether the physical file
name is associated with a logical file name or whether the directory is
valid. In this way, it checks whether the physical file exists in the
whitelist defined by the logical file names.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved