commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wade Chandler <wchand...@redesetgrow.com>
Subject Re: invalid file path
Date Fri, 17 Dec 2004 20:21:17 GMT
Chuck & Danielle Slate wrote:
> Hi Joe.
> 
> I think I had the same issue as Howard is mentioning.  Specifically,
> FileUpload parses requests that adhere to the RFC 1867.  The problem is that
> while RFC 1867 recommends a browser include the filename it is sending,
> which is why you can use getFileName(), it doesn't specify whether or not
> the browser should include just the filename or the filename and the path to
> it on the local file system.  As a result, some browsers only include the
> actual file name, e.g., myfile.txt, in which case you won't run into the
> issue you are seeing.  Other browsers, however, IE and Opera, include the
> entire path, e.g., c:\windows\myfile.txt.
> 
> So assume the original filename (on the client file system) was indeed
> c:\windows\myfile.txt and you instructed FileUpload to use /var/uploads/ as
> its target directory when writing the file.  If the sending browser is IE,
> FileUpload will actually attempt to write the file to
> /var/uploads/c:\windows\myfile.txt, which is of course going to cause an
> exception.
> 
> Below is a snippet of some string manipulation I did to look for and strip
> off everything but the file name.  There may be a better way, but it worked
> for me.  I hope it is helpful:
> 
> 
> 	private final String DESTINATIONDIR = "c:\\uploads\\";
> 
> 				...
> 
> 				FileItem fi = (FileItem)iter.next();
> 				String origFileName = fi.getName().trim();
> 
> 				// Error if an attempt to upload a blank filename was made
> 				if(origFileName.length() < 1 || origFileName == null)
> 				{
> 					throw new Exception("The filename was not specified.");
> 				}
> 
> 				// String to be used once the original file name has been verified
> 				String normalizedFileName = origFileName;
> 
> 				// Check to see if a Windows browser passed in the entire path (looking
> for a colon in the file name)
> 				// If so, remove the path information - leaving just the file name
> 				if (normalizedFileName.indexOf(":") != -1)
> 				{
> 					int charValue = normalizedFileName.lastIndexOf("\\");
> 					normalizedFileName = normalizedFileName.substring(charValue+1);
> 				}
> 				// Check to see if a UNIX browser passed in the entire path (instead of
> just the file name)
> 				// If so, remove the path information - leaving just the file name
> 				if (normalizedFileName.indexOf("/") != -1)
> 				{
> 					int charValue = normalizedFileName.lastIndexOf("/");
> 					normalizedFileName = normalizedFileName.substring(charValue+1);
> 				}
> 				// Define the destination location and name for the new file and create
> it
> 				String destinationFileName = DESTINATIONDIR+normalizedFileName;
> 				File uploadedFile = new File(destinationFileName);
> 
> 				// Write the new file to its destination location
> 				fi.write(uploadedFile);
> 
> 
> Chuck
> 
> 
> 
> 
> 
> 
>  -----Original Message-----
> From: 	Joe Smith [mailto:apngss@yahoo.com]
> Sent:	Friday, December 17, 2004 2:13 PM
> To:	Jakarta Commons Users List; Howard Lin
> Subject:	Re: invalid file path
> 
> Howard,
> 
> yes, I am using item.getName(), so when I do the upload, I should create the
> file without the path, just the file name only, and it will append that file
> as HTTP request? Like you said, I shoudl use test.java, instead of
> C:\test.java, or C:/test.java? Is that the point here? please advise more.
> thanks
> 
> 
> Howard Lin <xuhua.lin@gmail.com> wrote:
> I guess probably you are using the file name from item.getName() to
> create a File and pass it to write. The file name may contains client
> machine path. For example, you will get c:/test.java instead of
> test.java if the user type c:/test.java. So what I do is always strip
> path from the file name. Hope this helps.
> 
> Howard
> 
> On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
> 
>>I am using common file upload API in the java program, and it is able to
> 
> upload any files except the user tries to enter the backslash, or double
> slashes (//) in the browse file text box, not using browse button. For
> example, C:/test.java will produces the following error. But if I do
> C:\test.java, then it's perfect
> 
>>A file or directory in the path name does not exist.) at
> 
> java.io.FileOutputStream.open(Native Method) at
> java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at
> java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at
> org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Com
> piled Code))
> 
>>so the only workaround is to implement javascript myself? Maybe common
> 
> file upload doesn't take care of those cases.
> 
>>please advise. thanks
>>
>>
>>---------------------------------
>>Do you Yahoo!?
>>The all-new My Yahoo! b
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 
> 
> 

You can just do this.....

java.io.File f = new java.io.File(fileNameString);
fileNameString = f.getName();

I think the File class will handle that bit of code no matter what os 
and file name.  The name will be returned with only the last name in the 
path name.  The path parsing code works on all platforms the same way as 
you can use \\ and / in the file names on any OS in java and it will 
convert them correctly.  You can check the java docs if you'd like, but 
that will do it for you without any extra code.  Simple enough...two 
lines....try it out.

Wade


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message