You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/05 19:27:53 UTC
svn commit: r1733751 - in /tomcat/trunk/java/org/apache:
catalina/core/ApplicationPart.java tomcat/util/http/parser/HttpParser.java
Author: markt
Date: Sat Mar 5 18:27:53 2016
New Revision: 1733751
URL: http://svn.apache.org/viewvc?rev=1733751&view=rev
Log:
Update filename processing after review of RFC 6266
Modified:
tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java
tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java?rev=1733751&r1=1733750&r2=1733751&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationPart.java Sat Mar 5 18:27:53 2016
@@ -32,6 +32,7 @@ import javax.servlet.http.Part;
import org.apache.tomcat.util.http.fileupload.FileItem;
import org.apache.tomcat.util.http.fileupload.ParameterParser;
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItem;
+import org.apache.tomcat.util.http.parser.HttpParser;
/**
* Adaptor to allow {@link FileItem} objects generated by the package renamed
@@ -139,16 +140,20 @@ public class ApplicationPart implements
ParameterParser paramParser = new ParameterParser();
paramParser.setLowerCaseNames(true);
// Parameter parser can handle null input
- Map<String,String> params =
- paramParser.parse(cd, ';');
+ Map<String,String> params = paramParser.parse(cd, ';');
if (params.containsKey("filename")) {
fileName = params.get("filename");
+ // The parser will remove surrounding '"' but will not
+ // unquote any \x sequences.
if (fileName != null) {
- // This is a token or a quoted-string. If it is a token,
- // there won't be any '\' characters. If it is a
- // quoted-string it can be dequoted by removing the '\'
- // characters.
- fileName = fileName.trim().replaceAll("\\\\", "");
+ // RFC 6266. This is either a token or a quoted-string
+ if (fileName.indexOf('\\') > -1) {
+ // This is a quoted-string
+ fileName = HttpParser.unquote(fileName.trim());
+ } else {
+ // This is a token
+ fileName = fileName.trim();
+ }
} else {
// Even if there is no value, the parameter is present,
// so we return an empty file name rather than no file
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1733751&r1=1733750&r2=1733751&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java Sat Mar 5 18:27:53 2016
@@ -62,12 +62,24 @@ public class HttpParser {
}
public static String unquote(String input) {
- if (input == null || input.length() < 2 || input.charAt(0) != '"') {
+ if (input == null || input.length() < 2) {
return input;
}
+ int start;
+ int end;
+
+ // Skip surrounding quotes if there are any
+ if (input.charAt(0) == '"') {
+ start = 1;
+ end = input.length() - 1;
+ } else {
+ start = 0;
+ end = input.length();
+ }
+
StringBuilder result = new StringBuilder();
- for (int i = 1 ; i < (input.length() - 1); i++) {
+ for (int i = start ; i < end; i++) {
char c = input.charAt(i);
if (input.charAt(i) == '\\') {
i++;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org