tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Re: Servlet 3.0 File Upload
Date Tue, 06 Sep 2011 19:43:50 GMT

Hi Chris,
> It seems dangerous to allow the client to specify the file name. All
> kinds of bad things can happen such as specifying special file names
> (does "PRN" still work in win32? through Java?) or overwriting files
> from other clients.
> I would highly recommend that some portion of the temporary file name
> be completely random, as well as using something keyed on the request
> to disambiguate the file as well.

did you read my other reply to that thread? ;-)

Of course, I don't use that filename to save that file on the server (I assumed it is completely
clear that one wouldn't do this). But I want to use the filename for displaying purposes.
E.g., I have a web application where the user can upload pictures, combined to a picture gallery
( , it is a German site however, using TC 7). On uploading,
the server reads the submitted filename and stores it in a field in the corresponding DB entry
(without the file ending). Then it generates a filename based on the DB Row-ID (not on the
filename) to actually store that image.
When the user visits the site, it displays miniature icons, using the filename field of the
DB entry as description. Or, if the user choses to download the file, I can append a "Content-Disposition"
header (javax.mail.internet.ContentDisposition) and set a "filename" parameter, so the user's
browser download dialog can display the original filename (or a new name, if he edited the
entry), without the actual URL having to contain that filename.  :)


Konstantin Prei├čer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message