commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chuck & Danielle Slate" <>
Subject RE: invalid file path
Date Fri, 17 Dec 2004 19:43:46 GMT
Hi Joe.

I think I had the same issue as Howard is mentioning.  Specifically,
FileUpload parses requests that adhere to the RFC 1867.  The problem is that
while RFC 1867 recommends a browser include the filename it is sending,
which is why you can use getFileName(), it doesn't specify whether or not
the browser should include just the filename or the filename and the path to
it on the local file system.  As a result, some browsers only include the
actual file name, e.g., myfile.txt, in which case you won't run into the
issue you are seeing.  Other browsers, however, IE and Opera, include the
entire path, e.g., c:\windows\myfile.txt.

So assume the original filename (on the client file system) was indeed
c:\windows\myfile.txt and you instructed FileUpload to use /var/uploads/ as
its target directory when writing the file.  If the sending browser is IE,
FileUpload will actually attempt to write the file to
/var/uploads/c:\windows\myfile.txt, which is of course going to cause an

Below is a snippet of some string manipulation I did to look for and strip
off everything but the file name.  There may be a better way, but it worked
for me.  I hope it is helpful:

	private final String DESTINATIONDIR = "c:\\uploads\\";


				FileItem fi = (FileItem);
				String origFileName = fi.getName().trim();

				// Error if an attempt to upload a blank filename was made
				if(origFileName.length() < 1 || origFileName == null)
					throw new Exception("The filename was not specified.");

				// String to be used once the original file name has been verified
				String normalizedFileName = origFileName;

				// Check to see if a Windows browser passed in the entire path (looking
for a colon in the file name)
				// If so, remove the path information - leaving just the file name
				if (normalizedFileName.indexOf(":") != -1)
					int charValue = normalizedFileName.lastIndexOf("\\");
					normalizedFileName = normalizedFileName.substring(charValue+1);
				// Check to see if a UNIX browser passed in the entire path (instead of
just the file name)
				// If so, remove the path information - leaving just the file name
				if (normalizedFileName.indexOf("/") != -1)
					int charValue = normalizedFileName.lastIndexOf("/");
					normalizedFileName = normalizedFileName.substring(charValue+1);
				// Define the destination location and name for the new file and create
				String destinationFileName = DESTINATIONDIR+normalizedFileName;
				File uploadedFile = new File(destinationFileName);

				// Write the new file to its destination location


 -----Original Message-----
From: 	Joe Smith []
Sent:	Friday, December 17, 2004 2:13 PM
To:	Jakarta Commons Users List; Howard Lin
Subject:	Re: invalid file path


yes, I am using item.getName(), so when I do the upload, I should create the
file without the path, just the file name only, and it will append that file
as HTTP request? Like you said, I shoudl use, instead of
C:\, or C:/ Is that the point here? please advise more.

Howard Lin <> wrote:
I guess probably you are using the file name from item.getName() to
create a File and pass it to write. The file name may contains client
machine path. For example, you will get c:/ instead of if the user type c:/ So what I do is always strip
path from the file name. Hope this helps.


On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
> I am using common file upload API in the java program, and it is able to
upload any files except the user tries to enter the backslash, or double
slashes (//) in the browse file text box, not using browse button. For
example, C:/ will produces the following error. But if I do
C:\, then it's perfect
> A file or directory in the path name does not exist.) at Method) at Code)) at Compiled Code)) at
piled Code))
> so the only workaround is to implement javascript myself? Maybe common
file upload doesn't take care of those cases.
> please advise. thanks
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo! b

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message