tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1456885 - in /tomcat/trunk/java/org/apache/tomcat/util/http/fileupload: ./ disk/ servlet/ util/
Date Fri, 15 Mar 2013 10:57:08 GMT
Author: markt
Date: Fri Mar 15 10:57:08 2013
New Revision: 1456885

URL: http://svn.apache.org/r1456885
Log:
Merge updates from Commons FileUpload to r1453285

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/   (props changed)
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
    tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java

Propchange: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/
------------------------------------------------------------------------------
  Merged /commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload:r1453231-1453285

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java Fri Mar 15 10:57:08
2013
@@ -49,6 +49,7 @@ import java.io.UnsupportedEncodingExcept
  * @author <a href="mailto:martinc@apache.org">Martin Cooper</a>
  *
  * @version $Id$
+ * @since 1.3 additionally implements FileItemHeadersSupport
  */
 public interface FileItem extends Serializable, FileItemHeadersSupport {
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java Fri Mar
15 10:57:08 2013
@@ -24,7 +24,7 @@ import java.util.Iterator;
  * request.</p>
  *
  * @author Michael C. Macaluso
- * @since 1.3
+ * @since 1.2.1
  */
 public interface FileItemHeaders {
 
@@ -71,4 +71,5 @@ public interface FileItemHeaders {
      *         any headers return an empty <code>Iterator</code>
      */
     Iterator<String> getHeaderNames();
+
 }

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java Fri
Mar 15 10:57:08 2013
@@ -21,7 +21,7 @@ package org.apache.tomcat.util.http.file
  * implementations will accept the headers read for the item.
  *
  * @author Michael C. Macaluso
- * @since 1.3
+ * @since 1.2.1
  *
  * @see FileItem
  * @see FileItemStream
@@ -45,4 +45,5 @@ public interface FileItemHeadersSupport 
      *         for this instance.
      */
     void setHeaders(FileItemHeaders headers);
+
 }

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java Fri Mar 15
10:57:08 2013
@@ -321,8 +321,8 @@ public abstract class FileUploadBase {
                     throw (FileUploadException) e.getCause();
                 } catch (IOException e) {
                     throw new IOFileUploadException(
-                            "Processing of " + MULTIPART_FORM_DATA
-                            + " request failed. " + e.getMessage(), e);
+                            String.format("Processing of %s request failed. ",
+                                    MULTIPART_FORM_DATA, e.getMessage()), e);
                 }
                 if (fileItem instanceof FileItemHeadersSupport) {
                     final FileItemHeaders fih = item.getHeaders();
@@ -476,7 +476,7 @@ public abstract class FileUploadBase {
             if (start == end) {
                 break;
             }
-            String header = headerPart.substring(start, end);
+            StringBuilder header = new StringBuilder(headerPart.substring(start, end));
             start = end + 2;
             while (start < len) {
                 int nonWs = start;
@@ -492,10 +492,10 @@ public abstract class FileUploadBase {
                 }
                 // Continuation line found
                 end = parseEndOfLine(headerPart, nonWs);
-                header += " " + headerPart.substring(nonWs, end);
+                header.append(" ").append(headerPart.substring(nonWs, end));
                 start = end + 2;
             }
-            parseHeaderLine(headers, header);
+            parseHeaderLine(headers, header.toString());
         }
         return headers;
     }
@@ -601,12 +601,10 @@ public abstract class FileUploadBase {
                     if (pContentLength != -1
                             &&  pContentLength > fileSizeMax) {
                         FileSizeLimitExceededException e =
-                            new FileSizeLimitExceededException(
-                                "The field " + fieldName
-                                + " exceeds its maximum permitted "
-                                + " size of " + fileSizeMax
-                                + " bytes.",
-                                pContentLength, fileSizeMax);
+                                new FileSizeLimitExceededException(String.format(
+                                        "The field %s exceeds its maximum permitted size
of %s bytes.",
+                                        fieldName, Long.valueOf(fileSizeMax)),
+                                        pContentLength, fileSizeMax);
                         e.setFileName(pName);
                         e.setFieldName(pFieldName);
                         throw new FileUploadIOException(e);
@@ -617,12 +615,10 @@ public abstract class FileUploadBase {
                                 throws IOException {
                             itemStream.close(true);
                             FileSizeLimitExceededException e =
-                                new FileSizeLimitExceededException(
-                                    "The field " + fieldName
-                                    + " exceeds its maximum permitted "
-                                    + " size of " + pSizeMax
-                                    + " bytes.",
-                                    pCount, pSizeMax);
+                                    new FileSizeLimitExceededException(String.format(
+                                            "The field %s exceeds its maximum permitted size
of %s bytes.",
+                                           fieldName, Long.valueOf(pSizeMax)),
+                                           pCount, pSizeMax);
                             e.setFieldName(fieldName);
                             e.setFileName(name);
                             throw new FileUploadIOException(e);
@@ -768,41 +764,34 @@ public abstract class FileUploadBase {
             String contentType = ctx.getContentType();
             if ((null == contentType)
                     || (!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART)))
{
-                throw new InvalidContentTypeException(
-                        "the request doesn't contain a "
-                        + MULTIPART_FORM_DATA
-                        + " or "
-                        + MULTIPART_MIXED
-                        + " stream, content type header is "
-                        + contentType);
+                throw new InvalidContentTypeException(String.format(
+                        "the request doesn't contain a %s or %s stream, content type header
is %s",
+                        MULTIPART_FORM_DATA, MULTIPART_FORM_DATA, contentType));
             }
 
             InputStream input = ctx.getInputStream();
 
             if (sizeMax >= 0) {
-                int requestSize = ctx.getContentLength();
+                long requestSize = ctx.contentLength();
                 if (requestSize == -1) {
                     input = new LimitedInputStream(input, sizeMax) {
                         @Override
                         protected void raiseError(long pSizeMax, long pCount)
                                 throws IOException {
-                            FileUploadException ex =
-                                new SizeLimitExceededException(
-                                    "the request was rejected because"
-                                    + " its size (" + pCount
-                                    + ") exceeds the configured maximum"
-                                    + " (" + pSizeMax + ")",
+                            FileUploadException ex = new SizeLimitExceededException(String.format(
+                                    "the request was rejected because its size (%s) exceeds
the configured maximum (%s)",
+                                    Long.valueOf(pCount),
+                                    Long.valueOf(pSizeMax)),
                                     pCount, pSizeMax);
                             throw new FileUploadIOException(ex);
                         }
                     };
                 } else {
                     if (sizeMax >= 0 && requestSize > sizeMax) {
-                        throw new SizeLimitExceededException(
-                                "the request was rejected because its size ("
-                                + requestSize
-                                + ") exceeds the configured maximum ("
-                                + sizeMax + ")",
+                        throw new SizeLimitExceededException(String.format(
+                                "the request was rejected because its size (%s) exceeds the
configured maximum (%s)",
+                                Long.valueOf(requestSize),
+                                Long.valueOf(sizeMax)),
                                 requestSize, sizeMax);
                     }
                 }
@@ -815,13 +804,11 @@ public abstract class FileUploadBase {
 
             boundary = getBoundary(contentType);
             if (boundary == null) {
-                throw new FileUploadException(
-                        "the request was rejected because "
-                        + "no multipart boundary was found");
+                throw new FileUploadException("the request was rejected because no multipart
boundary was found");
             }
 
             notifier = new MultipartStream.ProgressNotifier(listener,
-                    ctx.getContentLength());
+                    ctx.contentLength());
             multi = new MultipartStream(input, boundary, notifier);
             multi.setHeaderEncoding(charEncoding);
 
@@ -1060,6 +1047,7 @@ public abstract class FileUploadBase {
          * Retrieves the actual size of the request.
          *
          * @return The actual size of the request.
+         * @since 1.3
          */
         public long getActualSize() {
             return actual;
@@ -1069,6 +1057,7 @@ public abstract class FileUploadBase {
          * Retrieves the permitted size of the request.
          *
          * @return The permitted size of the request.
+         * @since 1.3
          */
         public long getPermittedSize() {
             return permitted;

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java Fri Mar
15 10:57:08 2013
@@ -474,9 +474,9 @@ public class MultipartStream {
                 throw new MalformedStreamException("Stream ended unexpectedly");
             }
             if (++size > HEADER_PART_SIZE_MAX) {
-                throw new MalformedStreamException(
-                        "Header section has more than " + HEADER_PART_SIZE_MAX
-                        + " bytes (maybe it is not properly terminated)");
+                throw new MalformedStreamException(String.format(
+                        "Header section has more than %s bytes (maybe it is not properly
terminated)",
+                        Integer.valueOf(HEADER_PART_SIZE_MAX)));
             }
             if (b == HEADER_SEPARATOR[i]) {
                 i++;

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java Fri Mar 15
10:57:08 2013
@@ -50,8 +50,9 @@ public interface RequestContext {
      * Retrieve the content length of the request.
      *
      * @return The content length of the request.
+     * @since 1.3
      */
-    int getContentLength();
+    long contentLength();
 
     /**
      * Retrieve the input stream for the request.

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java Fri Mar
15 10:57:08 2013
@@ -600,7 +600,7 @@ public class DiskFileItem
             }
 
             String tempFileName =
-                "upload_" + UID + "_" + getUniqueId() + ".tmp";
+                    String.format("upload_%s_%s.tmp", UID, getUniqueId());
 
             tempFile = new File(tempDir, tempFileName);
         }
@@ -638,15 +638,9 @@ public class DiskFileItem
      */
     @Override
     public String toString() {
-        return "name=" + this.getName()
-            + ", StoreLocation="
-            + String.valueOf(this.getStoreLocation())
-            + ", size="
-            + this.getSize()
-            + "bytes, "
-            + "isFormField=" + isFormField()
-            + ", FieldName="
-            + this.getFieldName();
+        return String.format("name=%s, StoreLocation=%s, size=%s bytes, isFormField=%s, FieldName=%s",
+                      getName(), getStoreLocation(), Long.valueOf(getSize()),
+                      Boolean.valueOf(isFormField()), getFieldName());
     }
 
     // -------------------------------------------------- Serialization methods

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java
Fri Mar 15 10:57:08 2013
@@ -33,12 +33,23 @@ import org.apache.tomcat.util.http.fileu
  * created.</p>
  *
  * <p>If not otherwise configured, the default configuration values are as
- * follows:
+ * follows:</p>
  * <ul>
  *   <li>Size threshold is 10KB.</li>
  *   <li>Repository is the system default temp directory, as returned by
  *       <code>System.getProperty("java.io.tmpdir")</code>.</li>
  * </ul>
+ * <p>
+ * <b>NOTE</b>: Files are created in the system default temp directory with
+ * predictable names. This means that a local attacker with write access to that
+ * directory can perform a TOUTOC attack to replace any uploaded file with a
+ * file of the attackers choice. The implications of this will depend on how the
+ * uploaded file is used but could be significant. When using this
+ * implementation in an environment with local, untrusted users,
+ * {@link #setRepository(File)} MUST be used to configure a repository location
+ * that is not publicly writable. In a Servlet container the location identified
+ * by the ServletContext attribute <code>javax.servlet.context.tempdir</code>
+ * may be used.
  * </p>
  *
  * <p>Temporary files, which are created for file items, should be

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java
Fri Mar 15 10:57:08 2013
@@ -21,6 +21,7 @@ import java.io.InputStream;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.tomcat.util.http.fileupload.FileUploadBase;
 import org.apache.tomcat.util.http.fileupload.RequestContext;
 
 
@@ -80,10 +81,17 @@ public class ServletRequestContext imple
      * Retrieve the content length of the request.
      *
      * @return The content length of the request.
+     * @since 1.3
      */
     @Override
-    public int getContentLength() {
-        return request.getContentLength();
+    public long contentLength() {
+        long size;
+        try {
+            size = Long.parseLong(request.getHeader(FileUploadBase.CONTENT_LENGTH));
+        } catch (NumberFormatException e) {
+            size = -1;
+        }
+        return size;
     }
 
     /**
@@ -106,7 +114,7 @@ public class ServletRequestContext imple
     @Override
     public String toString() {
         return String.format("ContentLength=%s, ContentType=%s",
-                      Integer.valueOf(this.getContentLength()),
+                      Long.valueOf(this.contentLength()),
                       this.getContentType());
     }
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java?rev=1456885&r1=1456884&r2=1456885&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java
Fri Mar 15 10:57:08 2013
@@ -32,7 +32,7 @@ import org.apache.tomcat.util.http.fileu
  * Default implementation of the {@link FileItemHeaders} interface.
  *
  * @author Michael C. Macaluso
- * @since 1.3
+ * @since 1.2.1
  */
 public class FileItemHeadersImpl implements FileItemHeaders, Serializable {
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message