You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Stephan Schroeder (JIRA)" <ji...@apache.org> on 2008/03/19 11:41:58 UTC
[jira] Updated: (WW-2557) FileUploadInterceptor allows forbidden
files when passed with allowed files
[ https://issues.apache.org/struts/browse/WW-2557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephan Schroeder updated WW-2557:
----------------------------------
Description:
Summary: If you set the "allowedTypes" parameter of FileUploadInterceptor for example to "image/jpeg" and upload a jpg file and a gif file whit the same form name
(e.g.:
<@s.form action="photoupload" method="post" enctype="multipart/form-data">
<@s.file name="photos" label="Pictured 1"/>
<@s.file name="photos" label="Pictured 2"/>
<@s.submit/>
</...@s.form>)
than the gif file will be accepted too.
this is some code from the uptodate SVN repository of FileUploadInterceptor
(http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/FileUploadInterceptor.java?revision=615436&view=markup)
<code>
1 File[] files = multiWrapper.getFiles(inputName);
2 if (files != null) {
3 for (int index = 0; index < files.length; index++) {
4 if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){
5 parameters.put(inputName, files);
6 parameters.put(inputName + "ContentType", contentType);
7 parameters.put(inputName + "FileName", fileName);
8 }
9 }
10}
</code>
Bug 1) as you can see in line 4 and 5 as soon as one file is accepted the whole array is added to parameters which of course means even the files which haven't been accepted themselfs.
Improvement 1) in line 6 and 7 static string concatenations are done within a loop. This should move out of the loop.
Here is my proposal for a fix for both issues:
<code>
File[] files = multiWrapper.getFiles(inputName);
if (files != null) {
ArrayList acceptedFiles = new ArrayList( files.length() );
ArrayList acceptedContentTypes = new ArrayList( files.length() );
ArrayList acceptedFileNames = new ArrayList( files.length() );
String contentTypeName = inputName + "ContentType";
String fileNameName = inputName + "FileName";
for (int index = 0; index < files.length; index++) {
if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){
acceptedFiles.add( files[index] );
acceptedContentTypes.add( contentType[index] );
acceptedFileNames.add( fileName[index] );
}
}
if( acceptedFiles.size()!=0 ) {
parameters.put(inputName, acceptedFiles.toArray());
parameters.put(contentTypeName, acceptedContentTypes.toArray());
parameters.put(fileNameName, acceptedFileNames.toArray());
}
}
</code>
was:
this is some code from the uptodate SVN repository of FileUploadInterceptor
(http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/FileUploadInterceptor.java?revision=615436&view=markup)
<code>
1 File[] files = multiWrapper.getFiles(inputName);
2 if (files != null) {
3 for (int index = 0; index < files.length; index++) {
4 if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){
5 parameters.put(inputName, files);
6 parameters.put(inputName + "ContentType", contentType);
7 parameters.put(inputName + "FileName", fileName);
8 }
9 }
10}
</code>
Bug 1) as you can see in line 4 and 5 as soon as one file is accepted the whole array is added to parameters which of course means even the files which haven't been accepted themselfs.
Improvement 1) in line 6 and 7 static string concatenations are done within a loop. This should move out of the loop.
Here is my proposal for a fix for both issues:
<code>
File[] files = multiWrapper.getFiles(inputName);
if (files != null) {
ArrayList acceptedFiles = new ArrayList( files.length() );
ArrayList acceptedContentTypes = new ArrayList( files.length() );
ArrayList acceptedFileNames = new ArrayList( files.length() );
String contentTypeName = inputName + "ContentType";
String fileNameName = inputName + "FileName";
for (int index = 0; index < files.length; index++) {
if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){
acceptedFiles.add( files[index] );
acceptedContentTypes.add( contentType[index] );
acceptedFileNames.add( fileName[index] );
}
}
if( acceptedFiles.size()!=0 ) {
parameters.put(inputName, acceptedFiles.toArray());
parameters.put(contentTypeName, acceptedContentTypes.toArray());
parameters.put(fileNameName, acceptedFileNames.toArray());
}
}
</code>
Affects Version/s: (was: 2.1.0)
2.0.11
> FileUploadInterceptor allows forbidden files when passed with allowed files
> ---------------------------------------------------------------------------
>
> Key: WW-2557
> URL: https://issues.apache.org/struts/browse/WW-2557
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.0.11
> Environment: Windows Vista
> Reporter: Stephan Schroeder
>
> Summary: If you set the "allowedTypes" parameter of FileUploadInterceptor for example to "image/jpeg" and upload a jpg file and a gif file whit the same form name
> (e.g.:
> <@s.form action="photoupload" method="post" enctype="multipart/form-data">
> <@s.file name="photos" label="Pictured 1"/>
> <@s.file name="photos" label="Pictured 2"/>
> <@s.submit/>
> </...@s.form>)
> than the gif file will be accepted too.
> this is some code from the uptodate SVN repository of FileUploadInterceptor
> (http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/FileUploadInterceptor.java?revision=615436&view=markup)
> <code>
> 1 File[] files = multiWrapper.getFiles(inputName);
> 2 if (files != null) {
> 3 for (int index = 0; index < files.length; index++) {
> 4 if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){
> 5 parameters.put(inputName, files);
> 6 parameters.put(inputName + "ContentType", contentType);
> 7 parameters.put(inputName + "FileName", fileName);
> 8 }
> 9 }
> 10}
> </code>
> Bug 1) as you can see in line 4 and 5 as soon as one file is accepted the whole array is added to parameters which of course means even the files which haven't been accepted themselfs.
> Improvement 1) in line 6 and 7 static string concatenations are done within a loop. This should move out of the loop.
> Here is my proposal for a fix for both issues:
> <code>
> File[] files = multiWrapper.getFiles(inputName);
> if (files != null) {
> ArrayList acceptedFiles = new ArrayList( files.length() );
> ArrayList acceptedContentTypes = new ArrayList( files.length() );
> ArrayList acceptedFileNames = new ArrayList( files.length() );
> String contentTypeName = inputName + "ContentType";
> String fileNameName = inputName + "FileName";
> for (int index = 0; index < files.length; index++) {
> if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){
> acceptedFiles.add( files[index] );
> acceptedContentTypes.add( contentType[index] );
> acceptedFileNames.add( fileName[index] );
> }
> }
> if( acceptedFiles.size()!=0 ) {
> parameters.put(inputName, acceptedFiles.toArray());
> parameters.put(contentTypeName, acceptedContentTypes.toArray());
> parameters.put(fileNameName, acceptedFileNames.toArray());
> }
> }
> </code>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.