tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Servlet 3.0 File Upload
Date Tue, 06 Sep 2011 19:07:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 9/3/2011 11:51 AM, Konstantin Prei├čer wrote:
> What I usually do to get the filename is:
> 
> Part uploadPart = request.getPart("uploadfield"); // get the Part 
> String contDispoHeader =
> uploadPart.getHeader("Content-Disposition"); // get
> Content-Disposition header String uploadFilename = null; if
> (contDispoHeader != null) { try { uploadFilename = new
> ContentDisposition(contDispoHeader).getParameter("filename"); }
> catch (ParseException e) { } }

It seems dangerous to allow the client to specify the file name. All
kinds of bad things can happen such as specifying special file names
(does "PRN" still work in win32? through Java?) or overwriting files
from other clients.

I would highly recommend that some portion of the temporary file name
be completely random, as well as using something keyed on the request
to disambiguate the file as well.

I usually just use File.createTempFile, though performance of that
method can be less than ideal.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mb14ACgkQ9CaO5/Lv0PAYTACgi6ldsMdMYH4v3XLdfv5J6+U4
zh8An17xhq5gBZ1FJ5ElFLzXd1XVLX0q
=groU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message