Author: markt
Date: Fri Mar 15 10:57:08 2013
New Revision: 1456885
URL: http://svn.apache.org/r1456885
Log:
Merge updates from Commons FileUpload to r1453285
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/ (props changed)
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
Propchange: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/
------------------------------------------------------------------------------
Merged
/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload:r1453231-1453285
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java Fri
Mar 15 10:57:08 2013
@@ -49,6 +49,7 @@ import java.io.UnsupportedEncodingExcept
* @author <a href="mailto:[email protected]";>Martin Cooper</a>
*
* @version $Id$
+ * @since 1.3 additionally implements FileItemHeadersSupport
*/
public interface FileItem extends Serializable, FileItemHeadersSupport {
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java
Fri Mar 15 10:57:08 2013
@@ -24,7 +24,7 @@ import java.util.Iterator;
* request.</p>
*
* @author Michael C. Macaluso
- * @since 1.3
+ * @since 1.2.1
*/
public interface FileItemHeaders {
@@ -71,4 +71,5 @@ public interface FileItemHeaders {
* any headers return an empty <code>Iterator</code>
*/
Iterator<String> getHeaderNames();
+
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java
Fri Mar 15 10:57:08 2013
@@ -21,7 +21,7 @@ package org.apache.tomcat.util.http.file
* implementations will accept the headers read for the item.
*
* @author Michael C. Macaluso
- * @since 1.3
+ * @since 1.2.1
*
* @see FileItem
* @see FileItemStream
@@ -45,4 +45,5 @@ public interface FileItemHeadersSupport
* for this instance.
*/
void setHeaders(FileItemHeaders headers);
+
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
Fri Mar 15 10:57:08 2013
@@ -321,8 +321,8 @@ public abstract class FileUploadBase {
throw (FileUploadException) e.getCause();
} catch (IOException e) {
throw new IOFileUploadException(
- "Processing of " + MULTIPART_FORM_DATA
- + " request failed. " + e.getMessage(), e);
+ String.format("Processing of %s request failed. ",
+ MULTIPART_FORM_DATA, e.getMessage()), e);
}
if (fileItem instanceof FileItemHeadersSupport) {
final FileItemHeaders fih = item.getHeaders();
@@ -476,7 +476,7 @@ public abstract class FileUploadBase {
if (start == end) {
break;
}
- String header = headerPart.substring(start, end);
+ StringBuilder header = new
StringBuilder(headerPart.substring(start, end));
start = end + 2;
while (start < len) {
int nonWs = start;
@@ -492,10 +492,10 @@ public abstract class FileUploadBase {
}
// Continuation line found
end = parseEndOfLine(headerPart, nonWs);
- header += " " + headerPart.substring(nonWs, end);
+ header.append(" ").append(headerPart.substring(nonWs, end));
start = end + 2;
}
- parseHeaderLine(headers, header);
+ parseHeaderLine(headers, header.toString());
}
return headers;
}
@@ -601,12 +601,10 @@ public abstract class FileUploadBase {
if (pContentLength != -1
&& pContentLength > fileSizeMax) {
FileSizeLimitExceededException e =
- new FileSizeLimitExceededException(
- "The field " + fieldName
- + " exceeds its maximum permitted "
- + " size of " + fileSizeMax
- + " bytes.",
- pContentLength, fileSizeMax);
+ new
FileSizeLimitExceededException(String.format(
+ "The field %s exceeds its maximum
permitted size of %s bytes.",
+ fieldName, Long.valueOf(fileSizeMax)),
+ pContentLength, fileSizeMax);
e.setFileName(pName);
e.setFieldName(pFieldName);
throw new FileUploadIOException(e);
@@ -617,12 +615,10 @@ public abstract class FileUploadBase {
throws IOException {
itemStream.close(true);
FileSizeLimitExceededException e =
- new FileSizeLimitExceededException(
- "The field " + fieldName
- + " exceeds its maximum permitted "
- + " size of " + pSizeMax
- + " bytes.",
- pCount, pSizeMax);
+ new
FileSizeLimitExceededException(String.format(
+ "The field %s exceeds its maximum
permitted size of %s bytes.",
+ fieldName, Long.valueOf(pSizeMax)),
+ pCount, pSizeMax);
e.setFieldName(fieldName);
e.setFileName(name);
throw new FileUploadIOException(e);
@@ -768,41 +764,34 @@ public abstract class FileUploadBase {
String contentType = ctx.getContentType();
if ((null == contentType)
||
(!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) {
- throw new InvalidContentTypeException(
- "the request doesn't contain a "
- + MULTIPART_FORM_DATA
- + " or "
- + MULTIPART_MIXED
- + " stream, content type header is "
- + contentType);
+ throw new InvalidContentTypeException(String.format(
+ "the request doesn't contain a %s or %s stream,
content type header is %s",
+ MULTIPART_FORM_DATA, MULTIPART_FORM_DATA,
contentType));
}
InputStream input = ctx.getInputStream();
if (sizeMax >= 0) {
- int requestSize = ctx.getContentLength();
+ long requestSize = ctx.contentLength();
if (requestSize == -1) {
input = new LimitedInputStream(input, sizeMax) {
@Override
protected void raiseError(long pSizeMax, long pCount)
throws IOException {
- FileUploadException ex =
- new SizeLimitExceededException(
- "the request was rejected because"
- + " its size (" + pCount
- + ") exceeds the configured maximum"
- + " (" + pSizeMax + ")",
+ FileUploadException ex = new
SizeLimitExceededException(String.format(
+ "the request was rejected because its size
(%s) exceeds the configured maximum (%s)",
+ Long.valueOf(pCount),
+ Long.valueOf(pSizeMax)),
pCount, pSizeMax);
throw new FileUploadIOException(ex);
}
};
} else {
if (sizeMax >= 0 && requestSize > sizeMax) {
- throw new SizeLimitExceededException(
- "the request was rejected because its size ("
- + requestSize
- + ") exceeds the configured maximum ("
- + sizeMax + ")",
+ throw new SizeLimitExceededException(String.format(
+ "the request was rejected because its size
(%s) exceeds the configured maximum (%s)",
+ Long.valueOf(requestSize),
+ Long.valueOf(sizeMax)),
requestSize, sizeMax);
}
}
@@ -815,13 +804,11 @@ public abstract class FileUploadBase {
boundary = getBoundary(contentType);
if (boundary == null) {
- throw new FileUploadException(
- "the request was rejected because "
- + "no multipart boundary was found");
+ throw new FileUploadException("the request was rejected
because no multipart boundary was found");
}
notifier = new MultipartStream.ProgressNotifier(listener,
- ctx.getContentLength());
+ ctx.contentLength());
multi = new MultipartStream(input, boundary, notifier);
multi.setHeaderEncoding(charEncoding);
@@ -1060,6 +1047,7 @@ public abstract class FileUploadBase {
* Retrieves the actual size of the request.
*
* @return The actual size of the request.
+ * @since 1.3
*/
public long getActualSize() {
return actual;
@@ -1069,6 +1057,7 @@ public abstract class FileUploadBase {
* Retrieves the permitted size of the request.
*
* @return The permitted size of the request.
+ * @since 1.3
*/
public long getPermittedSize() {
return permitted;
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
Fri Mar 15 10:57:08 2013
@@ -474,9 +474,9 @@ public class MultipartStream {
throw new MalformedStreamException("Stream ended
unexpectedly");
}
if (++size > HEADER_PART_SIZE_MAX) {
- throw new MalformedStreamException(
- "Header section has more than " + HEADER_PART_SIZE_MAX
- + " bytes (maybe it is not properly terminated)");
+ throw new MalformedStreamException(String.format(
+ "Header section has more than %s bytes (maybe it is
not properly terminated)",
+ Integer.valueOf(HEADER_PART_SIZE_MAX)));
}
if (b == HEADER_SEPARATOR[i]) {
i++;
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java
Fri Mar 15 10:57:08 2013
@@ -50,8 +50,9 @@ public interface RequestContext {
* Retrieve the content length of the request.
*
* @return The content length of the request.
+ * @since 1.3
*/
- int getContentLength();
+ long contentLength();
/**
* Retrieve the input stream for the request.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
Fri Mar 15 10:57:08 2013
@@ -600,7 +600,7 @@ public class DiskFileItem
}
String tempFileName =
- "upload_" + UID + "_" + getUniqueId() + ".tmp";
+ String.format("upload_%s_%s.tmp", UID, getUniqueId());
tempFile = new File(tempDir, tempFileName);
}
@@ -638,15 +638,9 @@ public class DiskFileItem
*/
@Override
public String toString() {
- return "name=" + this.getName()
- + ", StoreLocation="
- + String.valueOf(this.getStoreLocation())
- + ", size="
- + this.getSize()
- + "bytes, "
- + "isFormField=" + isFormField()
- + ", FieldName="
- + this.getFieldName();
+ return String.format("name=%s, StoreLocation=%s, size=%s bytes,
isFormField=%s, FieldName=%s",
+ getName(), getStoreLocation(), Long.valueOf(getSize()),
+ Boolean.valueOf(isFormField()), getFieldName());
}
// -------------------------------------------------- Serialization methods
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
Fri Mar 15 10:57:08 2013
@@ -33,12 +33,23 @@ import org.apache.tomcat.util.http.fileu
* created.</p>
*
* <p>If not otherwise configured, the default configuration values are as
- * follows:
+ * follows:</p>
* <ul>
* <li>Size threshold is 10KB.</li>
* <li>Repository is the system default temp directory, as returned by
* <code>System.getProperty("java.io.tmpdir")</code>.</li>
* </ul>
+ * <p>
+ * <b>NOTE</b>: Files are created in the system default temp directory with
+ * predictable names. This means that a local attacker with write access to
that
+ * directory can perform a TOUTOC attack to replace any uploaded file with a
+ * file of the attackers choice. The implications of this will depend on how
the
+ * uploaded file is used but could be significant. When using this
+ * implementation in an environment with local, untrusted users,
+ * {@link #setRepository(File)} MUST be used to configure a repository location
+ * that is not publicly writable. In a Servlet container the location
identified
+ * by the ServletContext attribute <code>javax.servlet.context.tempdir</code>
+ * may be used.
* </p>
*
* <p>Temporary files, which are created for file items, should be
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
Fri Mar 15 10:57:08 2013
@@ -21,6 +21,7 @@ import java.io.InputStream;
import javax.servlet.http.HttpServletRequest;
+import org.apache.tomcat.util.http.fileupload.FileUploadBase;
import org.apache.tomcat.util.http.fileupload.RequestContext;
@@ -80,10 +81,17 @@ public class ServletRequestContext imple
* Retrieve the content length of the request.
*
* @return The content length of the request.
+ * @since 1.3
*/
@Override
- public int getContentLength() {
- return request.getContentLength();
+ public long contentLength() {
+ long size;
+ try {
+ size =
Long.parseLong(request.getHeader(FileUploadBase.CONTENT_LENGTH));
+ } catch (NumberFormatException e) {
+ size = -1;
+ }
+ return size;
}
/**
@@ -106,7 +114,7 @@ public class ServletRequestContext imple
@Override
public String toString() {
return String.format("ContentLength=%s, ContentType=%s",
- Integer.valueOf(this.getContentLength()),
+ Long.valueOf(this.contentLength()),
this.getContentType());
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
Fri Mar 15 10:57:08 2013
@@ -32,7 +32,7 @@ import org.apache.tomcat.util.http.fileu
* Default implementation of the {@link FileItemHeaders} interface.
*
* @author Michael C. Macaluso
- * @since 1.3
+ * @since 1.2.1
*/
public class FileItemHeadersImpl implements FileItemHeaders, Serializable {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
