commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernd Eckenfels (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (FILEUPLOAD-248) [DISK] Unsafe file move operation (possibly swallowing write errors)
Date Mon, 19 May 2014 22:35:38 GMT

     [ https://issues.apache.org/jira/browse/FILEUPLOAD-248?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Bernd Eckenfels resolved FILEUPLOAD-248.
----------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.4
         Assignee: Bernd Eckenfels

[FILEUPLOAD-248] DiskFileItem might suppress critical IOExceptions on rename - use FileUtil.move
instead.
Also: close input stream silently to make delete more probable. Remove unneeded BufferedInputStream
indirection for readFully().

http://svn.apache.org/viewvc?view=revision&revision=1596086

> [DISK] Unsafe file move operation (possibly swallowing write errors)
> --------------------------------------------------------------------
>
>                 Key: FILEUPLOAD-248
>                 URL: https://issues.apache.org/jira/browse/FILEUPLOAD-248
>             Project: Commons FileUpload
>          Issue Type: Bug
>    Affects Versions: 1.4
>         Environment: Source
>            Reporter: Bernd Eckenfels
>            Assignee: Bernd Eckenfels
>             Fix For: 1.4
>
>
> Because of a fix for FILEUPLOAD-246 I noticed that there is a fileRenameOrCopy function
which swallows exceptions on the OutputStream#close() method. This is unsafe since a lot of
filesystem operations can fail in exactly this step.
> There is also a Commons IO Utility which does rename or copy, so the whole code block
could be removed.
> Problem is here in Line 416: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?revision=1568691&view=markup
> Besides using FileUtil.move() another option would be to add a out.close() before the
catch.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message