Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0554417356 for ; Fri, 10 Jul 2015 08:22:05 +0000 (UTC) Received: (qmail 62929 invoked by uid 500); 10 Jul 2015 08:22:04 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 62818 invoked by uid 500); 10 Jul 2015 08:22:04 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 62802 invoked by uid 99); 10 Jul 2015 08:22:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jul 2015 08:22:04 +0000 Date: Fri, 10 Jul 2015 08:22:04 +0000 (UTC) From: "David (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (FILEUPLOAD-235) FileItem.getName() does not conform to the Java File.getName behaviour and *returns* a full path when provided with one MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/FILEUPLOAD-235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621972#comment-14621972 ] David commented on FILEUPLOAD-235: ---------------------------------- [~jochen@apache.org] that's why I was asking to make this change in the next major version release. As per the issue description: {quote} The rational for this change is to make it less easy to shoot oneself in the foot (in no modern web application is a 'full filepath' useful, especially when most browsers do not send one!). {quote} Also, afaik internet explorer is the only browser to send the 'full filepath' for a file upload. If you wish to keep a potential security hazard in the code so be it. > FileItem.getName() does not conform to the Java File.getName behaviour and *returns* a full path when provided with one > ----------------------------------------------------------------------------------------------------------------------- > > Key: FILEUPLOAD-235 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-235 > Project: Commons FileUpload > Issue Type: Bug > Affects Versions: 1.3 > Reporter: David > Assignee: Jochen Wiedmann > Priority: Minor > Fix For: 2.x > > > I understand that FileItem is simply following RFC 1867, but the implementation of 'getName' > method on a file related class IMHO should follow the behaviour of the java File class which > bq. Returns the name of the file or directory denoted by this abstract pathname. This is just the last name in the pathname's name sequence. If the pathname's name sequence is empty, then the empty string is returned. http://docs.oracle.com/javase/7/docs/api/java/io/File.html#getName() > I propose that FileItem.getName() is changed to *match* the java File class behaviour and that another method called something like 'getRawName' be added to the FileItem class. The rational for this change is to make it less easy to shoot oneself in the foot (in no modern web application is a 'full filepath' useful, especially when most browsers do not send one!). -- This message was sent by Atlassian JIRA (v6.3.4#6332)