On 04/03/2016 17:55, Konstantin Kolinko wrote: > 2016-03-04 20:24 GMT+03:00 <ma...@apache.org>: >> Author: markt >> Date: Fri Mar 4 17:24:36 2016 >> New Revision: 1733617 >> >> URL: http://svn.apache.org/viewvc?rev=1733617&view=rev >> Log: >> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59115 >> When using the Servlet 3.0 file upload, the submitted file name may be >> provided as a token or a quoted-string. If a quoted-string, unquote the >> string before returning it to the user. >> >> Modified: >> tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java >> tomcat/trunk/webapps/docs/changelog.xml >> >> Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java?rev=1733617&r1=1733616&r2=1733617&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java >> (original) >> +++ tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java Fri Mar >> 4 17:24:36 2016 >> @@ -144,7 +144,11 @@ public class ApplicationPart implements >> if (params.containsKey("filename")) { >> fileName = params.get("filename"); >> if (fileName != null) { >> - fileName = fileName.trim(); >> + // This is a token or a quoted-string. If it is a >> token, >> + // there won't be any '\' characters. If it is a >> + // quoted-string it can be dequoted by removing the >> '\' >> + // characters. >> + fileName = fileName.trim().replaceAll("\\", ""); > > I wonder whether single '\' is a valid regexp. Shouldn't it be double > \\ ("\\\\" in Java) ?
You are right. I'll get that fixed now. mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
