Return-Path: Delivered-To: apmail-jakarta-commons-dev-archive@www.apache.org Received: (qmail 65139 invoked from network); 14 Dec 2006 21:04:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Dec 2006 21:04:47 -0000 Received: (qmail 15757 invoked by uid 500); 14 Dec 2006 21:04:52 -0000 Delivered-To: apmail-jakarta-commons-dev-archive@jakarta.apache.org Received: (qmail 15667 invoked by uid 500); 14 Dec 2006 21:04:51 -0000 Mailing-List: contact commons-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Jakarta Commons Developers List" Reply-To: "Jakarta Commons Developers List" Delivered-To: mailing list commons-dev@jakarta.apache.org Received: (qmail 15655 invoked by uid 99); 14 Dec 2006 21:04:51 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Dec 2006 13:04:51 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Dec 2006 13:04:43 -0800 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 27C15714167 for ; Thu, 14 Dec 2006 13:04:23 -0800 (PST) Message-ID: <29085558.1166130263159.JavaMail.jira@brutus> Date: Thu, 14 Dec 2006 13:04:23 -0800 (PST) From: "Jochen Wiedmann (JIRA)" To: commons-dev@jakarta.apache.org Subject: [jira] Resolved: (FILEUPLOAD-122) Filename may contain a full path In-Reply-To: <25056593.1166024061283.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ http://issues.apache.org/jira/browse/FILEUPLOAD-122?page=all ] Jochen Wiedmann resolved FILEUPLOAD-122. ---------------------------------------- Resolution: Invalid I was initially thinking that the request made some sense, but after reading the various comments in this bug as well as FILEUPLOAD-17 (or FILEUPLOAD-68 for that matter), I do wholeheartly agree with the current behaviour to leave the filename as it is sent by the browser. If the user actually wants to remove preceding path components then he can do so quite easily. The converse wouldn't be true, if we'd attempt to "sanitize" the name. As this topic has been discussed now in at least three cases and all developers agree on it, I am closing the bug. > Filename may contain a full path > -------------------------------- > > Key: FILEUPLOAD-122 > URL: http://issues.apache.org/jira/browse/FILEUPLOAD-122 > Project: Commons FileUpload > Issue Type: Bug > Affects Versions: 1.1.1 > Reporter: Sebastian Beigel > Priority: Blocker > > The filename extracted from the content disposition may contain a full path (i.e. as submitted by the Internet Explorer for example). > It's is important to check for this and strip the path information accordingly as the upload fails if you use FileItem#getName() to build your destination path. > I patched the abstract class FileUploadBase#getFileName(...) with a few lines of code inspired by COS' MultiPartParser :) > Starting on line 447 (after fileName = fileName.trim(); ) > // The filename may contain a full path. Cut to just the filename. > int slash = Math.max(fileName.lastIndexOf('/'), fileName.lastIndexOf('\\')); // check for Unix AND Win separator > if (slash > -1) { > fileName = fileName.substring(slash + 1); // past last slash > } -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: commons-dev-help@jakarta.apache.org