commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Cooper <mfncoo...@gmail.com>
Subject Re: invalid file path
Date Fri, 17 Dec 2004 19:20:48 GMT
On Fri, 17 Dec 2004 11:12:58 -0800 (PST), Joe Smith <apngss@yahoo.com> wrote:
> Howard,
> 
> yes, I am using item.getName(), so when I do the upload, I should create the file without
the path, just the file name only, and it will append that file as HTTP request? Like you
said, I shoudl use test.java, instead of C:\test.java, or C:/test.java? Is that the point
here? please advise more. thanks
> 

You definitely should never be trying to store a file on the server
using a path provided by the client. That is a recipe for disaster.
Just imagine the consequences of a user uploading a critical system
file that would then be clobbered on the server.

If you need to preserve the original name of the file itself, you
should strip the path off the front of the file name first. (Note that
not all browsers provide the path - some only provide the base file
name in the first place, which is much more sane and secure.) However,
I would recommend that you not try to use the name of the file in the
server file system, and just keep that information around as metadata
if you need it.

--
Martin Cooper


> Howard Lin <xuhua.lin@gmail.com> wrote:
> I guess probably you are using the file name from item.getName() to
> create a File and pass it to write. The file name may contains client
> machine path. For example, you will get c:/test.java instead of
> test.java if the user type c:/test.java. So what I do is always strip
> path from the file name. Hope this helps.
> 
> Howard
> 
> On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
> >
> > I am using common file upload API in the java program, and it is able to upload
any files except the user tries to enter the backslash, or double slashes (//) in the browse
file text box, not using browse button. For example, C:/test.java will produces the following
error. But if I do C:\test.java, then it's perfect
> >
> > A file or directory in the path name does not exist.) at java.io.FileOutputStream.open(Native
Method) at java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at java.io.FileOutputStream.(FileOutputStream.java(Inlined
Compiled Code)) at org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Compiled
Code))
> >
> > so the only workaround is to implement javascript myself? Maybe common file upload
doesn't take care of those cases.
> >
> > please advise. thanks
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! â€" What will yours do?
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 
>                
> ---------------------------------
> Do you Yahoo!?
> Meet the all-new My Yahoo! – Try it today!
>

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message