Author: markt Date: Fri Mar 15 10:57:08 2013 New Revision: 1456885 URL: http://svn.apache.org/r1456885 Log: Merge updates from Commons FileUpload to r1453285
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/ (props changed) tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java Propchange: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/ ------------------------------------------------------------------------------ Merged /commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload:r1453231-1453285 Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItem.java Fri Mar 15 10:57:08 2013 @@ -49,6 +49,7 @@ import java.io.UnsupportedEncodingExcept * @author <a href="mailto:mart...@apache.org">Martin Cooper</a> * * @version $Id$ + * @since 1.3 additionally implements FileItemHeadersSupport */ public interface FileItem extends Serializable, FileItemHeadersSupport { Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeaders.java Fri Mar 15 10:57:08 2013 @@ -24,7 +24,7 @@ import java.util.Iterator; * request.</p> * * @author Michael C. Macaluso - * @since 1.3 + * @since 1.2.1 */ public interface FileItemHeaders { @@ -71,4 +71,5 @@ public interface FileItemHeaders { * any headers return an empty <code>Iterator</code> */ Iterator<String> getHeaderNames(); + } Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileItemHeadersSupport.java Fri Mar 15 10:57:08 2013 @@ -21,7 +21,7 @@ package org.apache.tomcat.util.http.file * implementations will accept the headers read for the item. * * @author Michael C. Macaluso - * @since 1.3 + * @since 1.2.1 * * @see FileItem * @see FileItemStream @@ -45,4 +45,5 @@ public interface FileItemHeadersSupport * for this instance. */ void setHeaders(FileItemHeaders headers); + } Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java Fri Mar 15 10:57:08 2013 @@ -321,8 +321,8 @@ public abstract class FileUploadBase { throw (FileUploadException) e.getCause(); } catch (IOException e) { throw new IOFileUploadException( - "Processing of " + MULTIPART_FORM_DATA - + " request failed. " + e.getMessage(), e); + String.format("Processing of %s request failed. ", + MULTIPART_FORM_DATA, e.getMessage()), e); } if (fileItem instanceof FileItemHeadersSupport) { final FileItemHeaders fih = item.getHeaders(); @@ -476,7 +476,7 @@ public abstract class FileUploadBase { if (start == end) { break; } - String header = headerPart.substring(start, end); + StringBuilder header = new StringBuilder(headerPart.substring(start, end)); start = end + 2; while (start < len) { int nonWs = start; @@ -492,10 +492,10 @@ public abstract class FileUploadBase { } // Continuation line found end = parseEndOfLine(headerPart, nonWs); - header += " " + headerPart.substring(nonWs, end); + header.append(" ").append(headerPart.substring(nonWs, end)); start = end + 2; } - parseHeaderLine(headers, header); + parseHeaderLine(headers, header.toString()); } return headers; } @@ -601,12 +601,10 @@ public abstract class FileUploadBase { if (pContentLength != -1 && pContentLength > fileSizeMax) { FileSizeLimitExceededException e = - new FileSizeLimitExceededException( - "The field " + fieldName - + " exceeds its maximum permitted " - + " size of " + fileSizeMax - + " bytes.", - pContentLength, fileSizeMax); + new FileSizeLimitExceededException(String.format( + "The field %s exceeds its maximum permitted size of %s bytes.", + fieldName, Long.valueOf(fileSizeMax)), + pContentLength, fileSizeMax); e.setFileName(pName); e.setFieldName(pFieldName); throw new FileUploadIOException(e); @@ -617,12 +615,10 @@ public abstract class FileUploadBase { throws IOException { itemStream.close(true); FileSizeLimitExceededException e = - new FileSizeLimitExceededException( - "The field " + fieldName - + " exceeds its maximum permitted " - + " size of " + pSizeMax - + " bytes.", - pCount, pSizeMax); + new FileSizeLimitExceededException(String.format( + "The field %s exceeds its maximum permitted size of %s bytes.", + fieldName, Long.valueOf(pSizeMax)), + pCount, pSizeMax); e.setFieldName(fieldName); e.setFileName(name); throw new FileUploadIOException(e); @@ -768,41 +764,34 @@ public abstract class FileUploadBase { String contentType = ctx.getContentType(); if ((null == contentType) || (!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) { - throw new InvalidContentTypeException( - "the request doesn't contain a " - + MULTIPART_FORM_DATA - + " or " - + MULTIPART_MIXED - + " stream, content type header is " - + contentType); + throw new InvalidContentTypeException(String.format( + "the request doesn't contain a %s or %s stream, content type header is %s", + MULTIPART_FORM_DATA, MULTIPART_FORM_DATA, contentType)); } InputStream input = ctx.getInputStream(); if (sizeMax >= 0) { - int requestSize = ctx.getContentLength(); + long requestSize = ctx.contentLength(); if (requestSize == -1) { input = new LimitedInputStream(input, sizeMax) { @Override protected void raiseError(long pSizeMax, long pCount) throws IOException { - FileUploadException ex = - new SizeLimitExceededException( - "the request was rejected because" - + " its size (" + pCount - + ") exceeds the configured maximum" - + " (" + pSizeMax + ")", + FileUploadException ex = new SizeLimitExceededException(String.format( + "the request was rejected because its size (%s) exceeds the configured maximum (%s)", + Long.valueOf(pCount), + Long.valueOf(pSizeMax)), pCount, pSizeMax); throw new FileUploadIOException(ex); } }; } else { if (sizeMax >= 0 && requestSize > sizeMax) { - throw new SizeLimitExceededException( - "the request was rejected because its size (" - + requestSize - + ") exceeds the configured maximum (" - + sizeMax + ")", + throw new SizeLimitExceededException(String.format( + "the request was rejected because its size (%s) exceeds the configured maximum (%s)", + Long.valueOf(requestSize), + Long.valueOf(sizeMax)), requestSize, sizeMax); } } @@ -815,13 +804,11 @@ public abstract class FileUploadBase { boundary = getBoundary(contentType); if (boundary == null) { - throw new FileUploadException( - "the request was rejected because " - + "no multipart boundary was found"); + throw new FileUploadException("the request was rejected because no multipart boundary was found"); } notifier = new MultipartStream.ProgressNotifier(listener, - ctx.getContentLength()); + ctx.contentLength()); multi = new MultipartStream(input, boundary, notifier); multi.setHeaderEncoding(charEncoding); @@ -1060,6 +1047,7 @@ public abstract class FileUploadBase { * Retrieves the actual size of the request. * * @return The actual size of the request. + * @since 1.3 */ public long getActualSize() { return actual; @@ -1069,6 +1057,7 @@ public abstract class FileUploadBase { * Retrieves the permitted size of the request. * * @return The permitted size of the request. + * @since 1.3 */ public long getPermittedSize() { return permitted; Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java Fri Mar 15 10:57:08 2013 @@ -474,9 +474,9 @@ public class MultipartStream { throw new MalformedStreamException("Stream ended unexpectedly"); } if (++size > HEADER_PART_SIZE_MAX) { - throw new MalformedStreamException( - "Header section has more than " + HEADER_PART_SIZE_MAX - + " bytes (maybe it is not properly terminated)"); + throw new MalformedStreamException(String.format( + "Header section has more than %s bytes (maybe it is not properly terminated)", + Integer.valueOf(HEADER_PART_SIZE_MAX))); } if (b == HEADER_SEPARATOR[i]) { i++; Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/RequestContext.java Fri Mar 15 10:57:08 2013 @@ -50,8 +50,9 @@ public interface RequestContext { * Retrieve the content length of the request. * * @return The content length of the request. + * @since 1.3 */ - int getContentLength(); + long contentLength(); /** * Retrieve the input stream for the request. Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java Fri Mar 15 10:57:08 2013 @@ -600,7 +600,7 @@ public class DiskFileItem } String tempFileName = - "upload_" + UID + "_" + getUniqueId() + ".tmp"; + String.format("upload_%s_%s.tmp", UID, getUniqueId()); tempFile = new File(tempDir, tempFileName); } @@ -638,15 +638,9 @@ public class DiskFileItem */ @Override public String toString() { - return "name=" + this.getName() - + ", StoreLocation=" - + String.valueOf(this.getStoreLocation()) - + ", size=" - + this.getSize() - + "bytes, " - + "isFormField=" + isFormField() - + ", FieldName=" - + this.getFieldName(); + return String.format("name=%s, StoreLocation=%s, size=%s bytes, isFormField=%s, FieldName=%s", + getName(), getStoreLocation(), Long.valueOf(getSize()), + Boolean.valueOf(isFormField()), getFieldName()); } // -------------------------------------------------- Serialization methods Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItemFactory.java Fri Mar 15 10:57:08 2013 @@ -33,12 +33,23 @@ import org.apache.tomcat.util.http.fileu * created.</p> * * <p>If not otherwise configured, the default configuration values are as - * follows: + * follows:</p> * <ul> * <li>Size threshold is 10KB.</li> * <li>Repository is the system default temp directory, as returned by * <code>System.getProperty("java.io.tmpdir")</code>.</li> * </ul> + * <p> + * <b>NOTE</b>: Files are created in the system default temp directory with + * predictable names. This means that a local attacker with write access to that + * directory can perform a TOUTOC attack to replace any uploaded file with a + * file of the attackers choice. The implications of this will depend on how the + * uploaded file is used but could be significant. When using this + * implementation in an environment with local, untrusted users, + * {@link #setRepository(File)} MUST be used to configure a repository location + * that is not publicly writable. In a Servlet container the location identified + * by the ServletContext attribute <code>javax.servlet.context.tempdir</code> + * may be used. * </p> * * <p>Temporary files, which are created for file items, should be Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/servlet/ServletRequestContext.java Fri Mar 15 10:57:08 2013 @@ -21,6 +21,7 @@ import java.io.InputStream; import javax.servlet.http.HttpServletRequest; +import org.apache.tomcat.util.http.fileupload.FileUploadBase; import org.apache.tomcat.util.http.fileupload.RequestContext; @@ -80,10 +81,17 @@ public class ServletRequestContext imple * Retrieve the content length of the request. * * @return The content length of the request. + * @since 1.3 */ @Override - public int getContentLength() { - return request.getContentLength(); + public long contentLength() { + long size; + try { + size = Long.parseLong(request.getHeader(FileUploadBase.CONTENT_LENGTH)); + } catch (NumberFormatException e) { + size = -1; + } + return size; } /** @@ -106,7 +114,7 @@ public class ServletRequestContext imple @Override public String toString() { return String.format("ContentLength=%s, ContentType=%s", - Integer.valueOf(this.getContentLength()), + Long.valueOf(this.contentLength()), this.getContentType()); } Modified: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java?rev=1456885&r1=1456884&r2=1456885&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/util/FileItemHeadersImpl.java Fri Mar 15 10:57:08 2013 @@ -32,7 +32,7 @@ import org.apache.tomcat.util.http.fileu * Default implementation of the {@link FileItemHeaders} interface. * * @author Michael C. Macaluso - * @since 1.3 + * @since 1.2.1 */ public class FileItemHeadersImpl implements FileItemHeaders, Serializable { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org