You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Howard Lin <xu...@gmail.com> on 2004/12/16 17:47:51 UTC
Re: invalid file path
I guess probably you are using the file name from item.getName() to
create a File and pass it to write. The file name may contains client
machine path. For example, you will get c:/test.java instead of
test.java if the user type c:/test.java. So what I do is always strip
path from the file name. Hope this helps.
Howard
On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith <ap...@yahoo.com> wrote:
>
> I am using common file upload API in the java program, and it is able to upload any files except the user tries to enter the backslash, or double slashes (//) in the browse file text box, not using browse button. For example, C:/test.java will produces the following error. But if I do C:\test.java, then it's perfect
>
> A file or directory in the path name does not exist.) at java.io.FileOutputStream.open(Native Method) at java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Compiled Code))
>
> so the only workaround is to implement javascript myself? Maybe common file upload doesn't take care of those cases.
>
> please advise. thanks
>
>
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo! – What will yours do?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: invalid file path
Posted by Martin Cooper <mf...@gmail.com>.
On Fri, 17 Dec 2004 11:12:58 -0800 (PST), Joe Smith <ap...@yahoo.com> wrote:
> Howard,
>
> yes, I am using item.getName(), so when I do the upload, I should create the file without the path, just the file name only, and it will append that file as HTTP request? Like you said, I shoudl use test.java, instead of C:\test.java, or C:/test.java? Is that the point here? please advise more. thanks
>
You definitely should never be trying to store a file on the server
using a path provided by the client. That is a recipe for disaster.
Just imagine the consequences of a user uploading a critical system
file that would then be clobbered on the server.
If you need to preserve the original name of the file itself, you
should strip the path off the front of the file name first. (Note that
not all browsers provide the path - some only provide the base file
name in the first place, which is much more sane and secure.) However,
I would recommend that you not try to use the name of the file in the
server file system, and just keep that information around as metadata
if you need it.
--
Martin Cooper
> Howard Lin <xu...@gmail.com> wrote:
> I guess probably you are using the file name from item.getName() to
> create a File and pass it to write. The file name may contains client
> machine path. For example, you will get c:/test.java instead of
> test.java if the user type c:/test.java. So what I do is always strip
> path from the file name. Hope this helps.
>
> Howard
>
> On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
> >
> > I am using common file upload API in the java program, and it is able to upload any files except the user tries to enter the backslash, or double slashes (//) in the browse file text box, not using browse button. For example, C:/test.java will produces the following error. But if I do C:\test.java, then it's perfect
> >
> > A file or directory in the path name does not exist.) at java.io.FileOutputStream.open(Native Method) at java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Compiled Code))
> >
> > so the only workaround is to implement javascript myself? Maybe common file upload doesn't take care of those cases.
> >
> > please advise. thanks
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! â€" What will yours do?
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
> ---------------------------------
> Do you Yahoo!?
> Meet the all-new My Yahoo! – Try it today!
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
RE: invalid file path
Posted by Chuck & Danielle Slate <dc...@comcast.net>.
Thanks, Wade. That did the trick!
Chuck
-----Original Message-----
From: Wade Chandler [mailto:wchandler@redesetgrow.com]
Sent: Friday, December 17, 2004 3:21 PM
To: Jakarta Commons Users List
Subject: Re: invalid file path
Chuck & Danielle Slate wrote:
> Hi Joe.
>
> I think I had the same issue as Howard is mentioning. Specifically,
> FileUpload parses requests that adhere to the RFC 1867. The problem is
that
> while RFC 1867 recommends a browser include the filename it is sending,
> which is why you can use getFileName(), it doesn't specify whether or not
> the browser should include just the filename or the filename and the path
to
> it on the local file system. As a result, some browsers only include the
> actual file name, e.g., myfile.txt, in which case you won't run into the
> issue you are seeing. Other browsers, however, IE and Opera, include the
> entire path, e.g., c:\windows\myfile.txt.
>
> So assume the original filename (on the client file system) was indeed
> c:\windows\myfile.txt and you instructed FileUpload to use /var/uploads/
as
> its target directory when writing the file. If the sending browser is IE,
> FileUpload will actually attempt to write the file to
> /var/uploads/c:\windows\myfile.txt, which is of course going to cause an
> exception.
>
> Below is a snippet of some string manipulation I did to look for and strip
> off everything but the file name. There may be a better way, but it
worked
> for me. I hope it is helpful:
>
>
> private final String DESTINATIONDIR = "c:\\uploads\\";
>
> ...
>
> FileItem fi = (FileItem)iter.next();
> String origFileName = fi.getName().trim();
>
> // Error if an attempt to upload a blank filename was made
> if(origFileName.length() < 1 || origFileName == null)
> {
> throw new Exception("The filename was not specified.");
> }
>
> // String to be used once the original file name has been verified
> String normalizedFileName = origFileName;
>
> // Check to see if a Windows browser passed in the entire path
(looking
> for a colon in the file name)
> // If so, remove the path information - leaving just the file name
> if (normalizedFileName.indexOf(":") != -1)
> {
> int charValue = normalizedFileName.lastIndexOf("\\");
> normalizedFileName = normalizedFileName.substring(charValue+1);
> }
> // Check to see if a UNIX browser passed in the entire path (instead
of
> just the file name)
> // If so, remove the path information - leaving just the file name
> if (normalizedFileName.indexOf("/") != -1)
> {
> int charValue = normalizedFileName.lastIndexOf("/");
> normalizedFileName = normalizedFileName.substring(charValue+1);
> }
> // Define the destination location and name for the new file and
create
> it
> String destinationFileName = DESTINATIONDIR+normalizedFileName;
> File uploadedFile = new File(destinationFileName);
>
> // Write the new file to its destination location
> fi.write(uploadedFile);
>
>
> Chuck
>
>
>
>
>
>
> -----Original Message-----
> From: Joe Smith [mailto:apngss@yahoo.com]
> Sent: Friday, December 17, 2004 2:13 PM
> To: Jakarta Commons Users List; Howard Lin
> Subject: Re: invalid file path
>
> Howard,
>
> yes, I am using item.getName(), so when I do the upload, I should create
the
> file without the path, just the file name only, and it will append that
file
> as HTTP request? Like you said, I shoudl use test.java, instead of
> C:\test.java, or C:/test.java? Is that the point here? please advise more.
> thanks
>
>
> Howard Lin <xu...@gmail.com> wrote:
> I guess probably you are using the file name from item.getName() to
> create a File and pass it to write. The file name may contains client
> machine path. For example, you will get c:/test.java instead of
> test.java if the user type c:/test.java. So what I do is always strip
> path from the file name. Hope this helps.
>
> Howard
>
> On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
>
>>I am using common file upload API in the java program, and it is able to
>
> upload any files except the user tries to enter the backslash, or double
> slashes (//) in the browse file text box, not using browse button. For
> example, C:/test.java will produces the following error. But if I do
> C:\test.java, then it's perfect
>
>>A file or directory in the path name does not exist.) at
>
> java.io.FileOutputStream.open(Native Method) at
> java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at
> java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at
>
org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Com
> piled Code))
>
>>so the only workaround is to implement javascript myself? Maybe common
>
> file upload doesn't take care of those cases.
>
>>please advise. thanks
>>
>>
>>---------------------------------
>>Do you Yahoo!?
>>The all-new My Yahoo! b
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
>
You can just do this.....
java.io.File f = new java.io.File(fileNameString);
fileNameString = f.getName();
I think the File class will handle that bit of code no matter what os
and file name. The name will be returned with only the last name in the
path name. The path parsing code works on all platforms the same way as
you can use \\ and / in the file names on any OS in java and it will
convert them correctly. You can check the java docs if you'd like, but
that will do it for you without any extra code. Simple enough...two
lines....try it out.
Wade
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: invalid file path
Posted by Wade Chandler <wc...@redesetgrow.com>.
Chuck & Danielle Slate wrote:
> Hi Joe.
>
> I think I had the same issue as Howard is mentioning. Specifically,
> FileUpload parses requests that adhere to the RFC 1867. The problem is that
> while RFC 1867 recommends a browser include the filename it is sending,
> which is why you can use getFileName(), it doesn't specify whether or not
> the browser should include just the filename or the filename and the path to
> it on the local file system. As a result, some browsers only include the
> actual file name, e.g., myfile.txt, in which case you won't run into the
> issue you are seeing. Other browsers, however, IE and Opera, include the
> entire path, e.g., c:\windows\myfile.txt.
>
> So assume the original filename (on the client file system) was indeed
> c:\windows\myfile.txt and you instructed FileUpload to use /var/uploads/ as
> its target directory when writing the file. If the sending browser is IE,
> FileUpload will actually attempt to write the file to
> /var/uploads/c:\windows\myfile.txt, which is of course going to cause an
> exception.
>
> Below is a snippet of some string manipulation I did to look for and strip
> off everything but the file name. There may be a better way, but it worked
> for me. I hope it is helpful:
>
>
> private final String DESTINATIONDIR = "c:\\uploads\\";
>
> ...
>
> FileItem fi = (FileItem)iter.next();
> String origFileName = fi.getName().trim();
>
> // Error if an attempt to upload a blank filename was made
> if(origFileName.length() < 1 || origFileName == null)
> {
> throw new Exception("The filename was not specified.");
> }
>
> // String to be used once the original file name has been verified
> String normalizedFileName = origFileName;
>
> // Check to see if a Windows browser passed in the entire path (looking
> for a colon in the file name)
> // If so, remove the path information - leaving just the file name
> if (normalizedFileName.indexOf(":") != -1)
> {
> int charValue = normalizedFileName.lastIndexOf("\\");
> normalizedFileName = normalizedFileName.substring(charValue+1);
> }
> // Check to see if a UNIX browser passed in the entire path (instead of
> just the file name)
> // If so, remove the path information - leaving just the file name
> if (normalizedFileName.indexOf("/") != -1)
> {
> int charValue = normalizedFileName.lastIndexOf("/");
> normalizedFileName = normalizedFileName.substring(charValue+1);
> }
> // Define the destination location and name for the new file and create
> it
> String destinationFileName = DESTINATIONDIR+normalizedFileName;
> File uploadedFile = new File(destinationFileName);
>
> // Write the new file to its destination location
> fi.write(uploadedFile);
>
>
> Chuck
>
>
>
>
>
>
> -----Original Message-----
> From: Joe Smith [mailto:apngss@yahoo.com]
> Sent: Friday, December 17, 2004 2:13 PM
> To: Jakarta Commons Users List; Howard Lin
> Subject: Re: invalid file path
>
> Howard,
>
> yes, I am using item.getName(), so when I do the upload, I should create the
> file without the path, just the file name only, and it will append that file
> as HTTP request? Like you said, I shoudl use test.java, instead of
> C:\test.java, or C:/test.java? Is that the point here? please advise more.
> thanks
>
>
> Howard Lin <xu...@gmail.com> wrote:
> I guess probably you are using the file name from item.getName() to
> create a File and pass it to write. The file name may contains client
> machine path. For example, you will get c:/test.java instead of
> test.java if the user type c:/test.java. So what I do is always strip
> path from the file name. Hope this helps.
>
> Howard
>
> On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
>
>>I am using common file upload API in the java program, and it is able to
>
> upload any files except the user tries to enter the backslash, or double
> slashes (//) in the browse file text box, not using browse button. For
> example, C:/test.java will produces the following error. But if I do
> C:\test.java, then it's perfect
>
>>A file or directory in the path name does not exist.) at
>
> java.io.FileOutputStream.open(Native Method) at
> java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at
> java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at
> org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Com
> piled Code))
>
>>so the only workaround is to implement javascript myself? Maybe common
>
> file upload doesn't take care of those cases.
>
>>please advise. thanks
>>
>>
>>---------------------------------
>>Do you Yahoo!?
>>The all-new My Yahoo! b
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
>
>
>
You can just do this.....
java.io.File f = new java.io.File(fileNameString);
fileNameString = f.getName();
I think the File class will handle that bit of code no matter what os
and file name. The name will be returned with only the last name in the
path name. The path parsing code works on all platforms the same way as
you can use \\ and / in the file names on any OS in java and it will
convert them correctly. You can check the java docs if you'd like, but
that will do it for you without any extra code. Simple enough...two
lines....try it out.
Wade
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
RE: invalid file path
Posted by Chuck & Danielle Slate <dc...@comcast.net>.
Hi Joe.
I think I had the same issue as Howard is mentioning. Specifically,
FileUpload parses requests that adhere to the RFC 1867. The problem is that
while RFC 1867 recommends a browser include the filename it is sending,
which is why you can use getFileName(), it doesn't specify whether or not
the browser should include just the filename or the filename and the path to
it on the local file system. As a result, some browsers only include the
actual file name, e.g., myfile.txt, in which case you won't run into the
issue you are seeing. Other browsers, however, IE and Opera, include the
entire path, e.g., c:\windows\myfile.txt.
So assume the original filename (on the client file system) was indeed
c:\windows\myfile.txt and you instructed FileUpload to use /var/uploads/ as
its target directory when writing the file. If the sending browser is IE,
FileUpload will actually attempt to write the file to
/var/uploads/c:\windows\myfile.txt, which is of course going to cause an
exception.
Below is a snippet of some string manipulation I did to look for and strip
off everything but the file name. There may be a better way, but it worked
for me. I hope it is helpful:
private final String DESTINATIONDIR = "c:\\uploads\\";
...
FileItem fi = (FileItem)iter.next();
String origFileName = fi.getName().trim();
// Error if an attempt to upload a blank filename was made
if(origFileName.length() < 1 || origFileName == null)
{
throw new Exception("The filename was not specified.");
}
// String to be used once the original file name has been verified
String normalizedFileName = origFileName;
// Check to see if a Windows browser passed in the entire path (looking
for a colon in the file name)
// If so, remove the path information - leaving just the file name
if (normalizedFileName.indexOf(":") != -1)
{
int charValue = normalizedFileName.lastIndexOf("\\");
normalizedFileName = normalizedFileName.substring(charValue+1);
}
// Check to see if a UNIX browser passed in the entire path (instead of
just the file name)
// If so, remove the path information - leaving just the file name
if (normalizedFileName.indexOf("/") != -1)
{
int charValue = normalizedFileName.lastIndexOf("/");
normalizedFileName = normalizedFileName.substring(charValue+1);
}
// Define the destination location and name for the new file and create
it
String destinationFileName = DESTINATIONDIR+normalizedFileName;
File uploadedFile = new File(destinationFileName);
// Write the new file to its destination location
fi.write(uploadedFile);
Chuck
-----Original Message-----
From: Joe Smith [mailto:apngss@yahoo.com]
Sent: Friday, December 17, 2004 2:13 PM
To: Jakarta Commons Users List; Howard Lin
Subject: Re: invalid file path
Howard,
yes, I am using item.getName(), so when I do the upload, I should create the
file without the path, just the file name only, and it will append that file
as HTTP request? Like you said, I shoudl use test.java, instead of
C:\test.java, or C:/test.java? Is that the point here? please advise more.
thanks
Howard Lin <xu...@gmail.com> wrote:
I guess probably you are using the file name from item.getName() to
create a File and pass it to write. The file name may contains client
machine path. For example, you will get c:/test.java instead of
test.java if the user type c:/test.java. So what I do is always strip
path from the file name. Hope this helps.
Howard
On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
>
> I am using common file upload API in the java program, and it is able to
upload any files except the user tries to enter the backslash, or double
slashes (//) in the browse file text box, not using browse button. For
example, C:/test.java will produces the following error. But if I do
C:\test.java, then it's perfect
>
> A file or directory in the path name does not exist.) at
java.io.FileOutputStream.open(Native Method) at
java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at
java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at
org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Com
piled Code))
>
> so the only workaround is to implement javascript myself? Maybe common
file upload doesn't take care of those cases.
>
> please advise. thanks
>
>
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo! b
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
Re: invalid file path
Posted by Joe Smith <ap...@yahoo.com>.
Howard,
yes, I am using item.getName(), so when I do the upload, I should create the file without the path, just the file name only, and it will append that file as HTTP request? Like you said, I shoudl use test.java, instead of C:\test.java, or C:/test.java? Is that the point here? please advise more. thanks
Howard Lin <xu...@gmail.com> wrote:
I guess probably you are using the file name from item.getName() to
create a File and pass it to write. The file name may contains client
machine path. For example, you will get c:/test.java instead of
test.java if the user type c:/test.java. So what I do is always strip
path from the file name. Hope this helps.
Howard
On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote:
>
> I am using common file upload API in the java program, and it is able to upload any files except the user tries to enter the backslash, or double slashes (//) in the browse file text box, not using browse button. For example, C:/test.java will produces the following error. But if I do C:\test.java, then it's perfect
>
> A file or directory in the path name does not exist.) at java.io.FileOutputStream.open(Native Method) at java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Compiled Code))
>
> so the only workaround is to implement javascript myself? Maybe common file upload doesn't take care of those cases.
>
> please advise. thanks
>
>
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo! – What will yours do?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org
---------------------------------
Do you Yahoo!?
Meet the all-new My Yahoo! � Try it today!