[jira] [Work logged] (WW-5371) Use action based callback to transfer information about uploaded files

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5371?focusedWorklogId=898910&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-898910
 ]

ASF GitHub Bot logged work on WW-5371:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Jan/24 09:14
            Start Date: 10/Jan/24 09:14
    Worklog Time Spent: 10m 
      Work Description: kusalk commented on code in PR #223:
URL: https://github.com/apache/struts-site/pull/223#discussion_r1447084616


##########
source/core-developers/file-upload.md:
##########
@@ -51,7 +55,35 @@ example:
 </s:form>
 ```
 
-The fileUpload interceptor will use setter injection to insert the uploaded 
file and related data into your Action
+The actionFileUpload interceptor will use a dedicated interface 
`org.apache.struts2.action.UploadedFilesAware` to transfer
+information and content of uploaded file. Your action should implement the 
interface to receive the uploaded file:
+
+```java
+public class UploadAction extends ActionSupport implements UploadedFilesAware {
+  
+    private UploadedFile uploadedFile;
+    private String contentType;
+    private String fileName;
+    private String originalName;
+
+    @Override
+    public void withUploadedFiles(List<UploadedFile> uploadedFiles) {
+        if (!uploadedFiles.isEmpty() > 0) {

Review Comment:
   Same here



##########
source/core-developers/action-file-upload-interceptor.md:
##########
@@ -0,0 +1,111 @@
+---
+layout: default
+title: Action File Upload Interceptor
+parent:
+    title: Interceptors
+    url: interceptors
+---
+
+# Action File Upload Interceptor
+
+> Available since Struts 6.4.0 as replacement for [File Upload 
Interceptor](file-upload-interceptor)
+
+See [this page](file-upload) for more examples and advanced configuration.
+
+Interceptor that is based off of `MultiPartRequestWrapper`, which is 
automatically applied for any request that includes 
+a file. If an action implements `org.apache.struts2.action.UploadedFilesAware` 
interface, the interceptor will pass
+information and content of uploaded files using the callback method 
`withUploadedFiles(List<UploadedFile>)`.
+
+See the example code section.
+
+This interceptor will add several field errors, assuming that the action 
implements `ValidationAware`. These error messages 
+are based on several i18n values stored in `struts-messages.properties`, a 
default i18n file processed for all i18n requests. 
+You can override the text of these messages by providing text for the 
following keys:
+
+ - `struts.messages.error.uploading` - a general error that occurs when the 
file could not be uploaded
+ - `struts.messages.error.file.too.large` - occurs when the uploaded file is 
too large
+ - `struts.messages.error.content.type.not.allowed` - occurs when the uploaded 
file does not match the expected content 
+   types specified
+ - `struts.messages.error.file.extension.not.allowed` - occurs when the 
uploaded file does not match the expected 
+   file extensions specified
+
+## Parameters
+
+ - `maximumSize` (optional) - the maximum size (in bytes) that the interceptor 
will allow a file reference to be set
+   on the action. Note, this is <b>not</b> related to the various properties 
found in struts.properties. 
+   Default to approximately 2MB.
+ - `allowedTypes` (optional) - a comma separated list of content types (ie: 
`text/html`) that the interceptor will allow
+   a file reference to be set on the action. If none is specified allow all 
types to be uploaded.
+ - `allowedExtensions` (optional) - a comma separated list of file extensions 
(ie: `.html`) that the interceptor will allow
+   a file reference to be set on the action. If none is specified allow all 
extensions to be uploaded.
+
+## Extending the Interceptor
+
+You can extend this interceptor and override the acceptFile method to provide 
more control over which files are supported 
+and which are not.
+
+## Examples
+
+**Example action mapping:**
+
+```xml
+ <action name="doUpload" class="com.example.UploadAction">
+     <interceptor-ref name="actionFileUpload"/>
+     <interceptor-ref name="basicStack"/>
+     <result name="success">good_result.jsp</result>
+ </action>
+
+```
+
+Notice the interceptor configuration in the preceding example\. 
+
+**Example JSP form tags:**
+
+```xml
+   <s:form action="doUpload" method="post" enctype="multipart/form-data">
+       <s:file name="upload" label="File"/>
+       <s:submit/>
+   </s:form>
+
+```
+
+You must set the encoding to <code>multipart/form-data</code> in the form 
where the user selects the file to upload.
+
+**Example Action class:**
+
+```java
+public class UploadAction extends ActionSupport implements UploadedFilesAware {
+   private UploadedFile uploadedFile;
+   private String contentType;
+   private String fileName;
+   private String originalName;
+
+   @Override
+   public void withUploadedFiles(List<UploadedFile> uploadedFiles) {
+      if (!uploadedFiles.isEmpty() > 0) {

Review Comment:
   Think you can drop the `> 0`



##########
source/core-developers/file-upload.md:
##########
@@ -21,11 +24,13 @@ than the temporary directory and the directories that 
belong to your web applica
 The Struts 2 framework leverages the Commons FileUpload library as a based 
library to support file upload in the framework.
 The library is included in a base Struts 2 distribution.
 
+> NOTE: Since Struts 6.4.0 the `FileUploadInterceptor` is deprecated and you 
should use `ActionFileUploadInterceptor` instead!
+
 ## Basic Usage
 
-The `org.apache.struts2.interceptor.FileUploadInterceptor` class is included 
as part of the `defaultStack`. As long as
-the required libraries are added to your project you will be able to take 
advantage of the Struts 2 file upload
-capability. Configure an Action mapping for your Action class as you typically 
would.
+The `org.apache.struts2.interceptor.FileUploadInterceptor` and 
`org.apache.struts2.interceptor.ActionFileUploadInterceptor`
+classes is included as part of the `defaultStack`. As long as  the required 
libraries are added to your project you will be able 

Review Comment:
   `classes **are** included`





Issue Time Tracking
-------------------

    Worklog Id:     (was: 898910)
    Time Spent: 1.5h  (was: 1h 20m)

> Use action based callback to transfer information about uploaded files
> ----------------------------------------------------------------------
>
>                 Key: WW-5371
>                 URL: https://issues.apache.org/jira/browse/WW-5371
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>            Reporter: Lukasz Lenart
>            Assignee: Lukasz Lenart
>            Priority: Major
>             Fix For: 6.4.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Based on experience of the latest security vulnerability (CVE-2023-50164) it 
> would be better to keep uploaded files out of scope of passed parameters.
> The idea is to have a dedicated interceptor and *Aware interface instead of 
> using parameter injection as it happens currently.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)