commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Corobitsyn Roman <>
Subject file-upload, tomcat and security trouble
Date Fri, 12 May 2006 13:10:03 GMT
Hello commons-user,

I have an question about file-upload, tomcat and security trouble
So, my situations are:

    tomcat 5.5.15 with security policy
    simple webapp (upload.html + FileUploadServlet(see below))

    tomcat 5.5.15 with security policy
    simple webapp (upload.html + FileUploadServlet)

In first case there are no security problems. If webapp has no access
to tmp directiry, appears. This
behavior is expected

In second case, when using file-upload-1.1 and webapp has  no acces to
tmp directory, AccessControlException does not appear and upload
process completes succesfully. I think this is very big hole

My question are:

1) What is my mistake?
2) Perhaps, is this tomcat problem?


Corobitsyn Roman
upload form is:
    <form  METHOD=POST enctype='multipart/form-data' action="/servlet/upload">
        <input type=file name='file'>
        <input type=submit>

and FileUploadServlet is

import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;

import org.apache.commons.fileupload.*;

public class FileUploadServlet extends HttpServlet {

    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws IOException, ServletException {
        DiskFileUpload upload = new DiskFileUpload();

        ServletContext context = getServletContext();
        String path = context.getRealPath("/");
        path +=  "/tmp";

        response.setContentType("text/html; charset=windows-1251");
        PrintWriter out = response.getWriter();

        try {
            List /* FileItem */ items = upload.parseRequest(request);
            for (int i = 0, n = items.size(); i < n; i++) {
                final FileItem fileItem = (FileItem) items.get(i);
                out.println(fileItem.getString() + " " + items.get(i));
        catch (FileUploadException e) {

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message