Hi Chris, > > It seems dangerous to allow the client to specify the file name. All > kinds of bad things can happen such as specifying special file names > (does "PRN" still work in win32? through Java?) or overwriting files > from other clients. > > I would highly recommend that some portion of the temporary file name > be completely random, as well as using something keyed on the request > to disambiguate the file as well.
did you read my other reply to that thread? ;-) Of course, I don't use that filename to save that file on the server (I assumed it is completely clear that one wouldn't do this). But I want to use the filename for displaying purposes. E.g., I have a web application where the user can upload pictures, combined to a picture gallery (http://bildergalerie.pleier-it.de/ , it is a German site however, using TC 7). On uploading, the server reads the submitted filename and stores it in a field in the corresponding DB entry (without the file ending). Then it generates a filename based on the DB Row-ID (not on the filename) to actually store that image. When the user visits the site, it displays miniature icons, using the filename field of the DB entry as description. Or, if the user choses to download the file, I can append a "Content-Disposition" header (javax.mail.internet.ContentDisposition) and set a "filename" parameter, so the user's browser download dialog can display the original filename (or a new name, if he edited the entry), without the actual URL having to contain that filename. :) Regards, Konstantin Preißer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
