You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by "Sebastian Beigel (JIRA)" <ji...@apache.org> on 2006/12/13 16:34:21 UTC
[jira] Created: (FILEUPLOAD-122) Filename may contain a full path
Filename may contain a full path
--------------------------------
Key: FILEUPLOAD-122
URL: http://issues.apache.org/jira/browse/FILEUPLOAD-122
Project: Commons FileUpload
Issue Type: Bug
Affects Versions: 1.1.1
Reporter: Sebastian Beigel
Priority: Blocker
The filename extracted from the content disposition may contain a full path (i.e. as submitted by the Internet Explorer for example).
It's is important to check for this and strip the path information accordingly as the upload fails if you use FileItem#getName() to build your destination path.
I patched the abstract class FileUploadBase#getFileName(...) with a few lines of code inspired by COS' MultiPartParser :)
Starting on line 447 (after fileName = fileName.trim(); )
// The filename may contain a full path. Cut to just the filename.
int slash = Math.max(fileName.lastIndexOf('/'), fileName.lastIndexOf('\\')); // check for Unix AND Win separator
if (slash > -1) {
fileName = fileName.substring(slash + 1); // past last slash
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
[jira] Resolved: (FILEUPLOAD-122) Filename may contain a full path
Posted by "Jochen Wiedmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/FILEUPLOAD-122?page=all ]
Jochen Wiedmann resolved FILEUPLOAD-122.
----------------------------------------
Resolution: Invalid
I was initially thinking that the request made some sense, but after reading the various comments in this bug as well as FILEUPLOAD-17 (or FILEUPLOAD-68 for that matter), I do wholeheartly agree with the current behaviour to leave the filename as it is sent by the browser. If the user actually wants to remove preceding path components then he can do so quite easily. The converse wouldn't be true, if we'd attempt to "sanitize" the name.
As this topic has been discussed now in at least three cases and all developers agree on it, I am closing the bug.
> Filename may contain a full path
> --------------------------------
>
> Key: FILEUPLOAD-122
> URL: http://issues.apache.org/jira/browse/FILEUPLOAD-122
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.1.1
> Reporter: Sebastian Beigel
> Priority: Blocker
>
> The filename extracted from the content disposition may contain a full path (i.e. as submitted by the Internet Explorer for example).
> It's is important to check for this and strip the path information accordingly as the upload fails if you use FileItem#getName() to build your destination path.
> I patched the abstract class FileUploadBase#getFileName(...) with a few lines of code inspired by COS' MultiPartParser :)
> Starting on line 447 (after fileName = fileName.trim(); )
> // The filename may contain a full path. Cut to just the filename.
> int slash = Math.max(fileName.lastIndexOf('/'), fileName.lastIndexOf('\\')); // check for Unix AND Win separator
> if (slash > -1) {
> fileName = fileName.substring(slash + 1); // past last slash
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
[jira] Commented: (FILEUPLOAD-122) Filename may contain a full path
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/FILEUPLOAD-122?page=comments#action_12458179 ]
Henri Yandell commented on FILEUPLOAD-122:
------------------------------------------
Gotta watch the licensing on COS' multiparser too.
> Filename may contain a full path
> --------------------------------
>
> Key: FILEUPLOAD-122
> URL: http://issues.apache.org/jira/browse/FILEUPLOAD-122
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.1.1
> Reporter: Sebastian Beigel
> Priority: Blocker
>
> The filename extracted from the content disposition may contain a full path (i.e. as submitted by the Internet Explorer for example).
> It's is important to check for this and strip the path information accordingly as the upload fails if you use FileItem#getName() to build your destination path.
> I patched the abstract class FileUploadBase#getFileName(...) with a few lines of code inspired by COS' MultiPartParser :)
> Starting on line 447 (after fileName = fileName.trim(); )
> // The filename may contain a full path. Cut to just the filename.
> int slash = Math.max(fileName.lastIndexOf('/'), fileName.lastIndexOf('\\')); // check for Unix AND Win separator
> if (slash > -1) {
> fileName = fileName.substring(slash + 1); // past last slash
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
[jira] Commented: (FILEUPLOAD-122) Filename may contain a full path
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/FILEUPLOAD-122?page=comments#action_12458549 ]
Henri Yandell commented on FILEUPLOAD-122:
------------------------------------------
See:
http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE
Though the need to check windows and unix separators is a good one and FilenamUtils probably doesn't (as it expects to be run client side). So the FAQ example needs an upgrade.
Even if that part is inspired by COS, it's a trivial piece of code.
> Filename may contain a full path
> --------------------------------
>
> Key: FILEUPLOAD-122
> URL: http://issues.apache.org/jira/browse/FILEUPLOAD-122
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.1.1
> Reporter: Sebastian Beigel
> Priority: Blocker
>
> The filename extracted from the content disposition may contain a full path (i.e. as submitted by the Internet Explorer for example).
> It's is important to check for this and strip the path information accordingly as the upload fails if you use FileItem#getName() to build your destination path.
> I patched the abstract class FileUploadBase#getFileName(...) with a few lines of code inspired by COS' MultiPartParser :)
> Starting on line 447 (after fileName = fileName.trim(); )
> // The filename may contain a full path. Cut to just the filename.
> int slash = Math.max(fileName.lastIndexOf('/'), fileName.lastIndexOf('\\')); // check for Unix AND Win separator
> if (slash > -1) {
> fileName = fileName.substring(slash + 1); // past last slash
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
[jira] Commented: (FILEUPLOAD-122) Filename may contain a full path
Posted by "Martin Cooper (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/FILEUPLOAD-122?page=comments#action_12458552 ]
Martin Cooper commented on FILEUPLOAD-122:
------------------------------------------
>From the Javadocs for FilenameUtils.getName:
"This method will handle a file in either Unix or Windows format."
It does this regardless of which OS it is running on. I checked this before adding the FAQ item. :-)
> Filename may contain a full path
> --------------------------------
>
> Key: FILEUPLOAD-122
> URL: http://issues.apache.org/jira/browse/FILEUPLOAD-122
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.1.1
> Reporter: Sebastian Beigel
> Priority: Blocker
>
> The filename extracted from the content disposition may contain a full path (i.e. as submitted by the Internet Explorer for example).
> It's is important to check for this and strip the path information accordingly as the upload fails if you use FileItem#getName() to build your destination path.
> I patched the abstract class FileUploadBase#getFileName(...) with a few lines of code inspired by COS' MultiPartParser :)
> Starting on line 447 (after fileName = fileName.trim(); )
> // The filename may contain a full path. Cut to just the filename.
> int slash = Math.max(fileName.lastIndexOf('/'), fileName.lastIndexOf('\\')); // check for Unix AND Win separator
> if (slash > -1) {
> fileName = fileName.substring(slash + 1); // past last slash
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org