[ https://issues.apache.org/jira/browse/WW-5371?focusedWorklogId=898910&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-898910 ]
ASF GitHub Bot logged work on WW-5371: -------------------------------------- Author: ASF GitHub Bot Created on: 10/Jan/24 09:14 Start Date: 10/Jan/24 09:14 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #223: URL: https://github.com/apache/struts-site/pull/223#discussion_r1447084616 ########## source/core-developers/file-upload.md: ########## @@ -51,7 +55,35 @@ example: </s:form> ``` -The fileUpload interceptor will use setter injection to insert the uploaded file and related data into your Action +The actionFileUpload interceptor will use a dedicated interface `org.apache.struts2.action.UploadedFilesAware` to transfer +information and content of uploaded file. Your action should implement the interface to receive the uploaded file: + +```java +public class UploadAction extends ActionSupport implements UploadedFilesAware { + + private UploadedFile uploadedFile; + private String contentType; + private String fileName; + private String originalName; + + @Override + public void withUploadedFiles(List<UploadedFile> uploadedFiles) { + if (!uploadedFiles.isEmpty() > 0) { Review Comment: Same here ########## source/core-developers/action-file-upload-interceptor.md: ########## @@ -0,0 +1,111 @@ +--- +layout: default +title: Action File Upload Interceptor +parent: + title: Interceptors + url: interceptors +--- + +# Action File Upload Interceptor + +> Available since Struts 6.4.0 as replacement for [File Upload Interceptor](file-upload-interceptor) + +See [this page](file-upload) for more examples and advanced configuration. + +Interceptor that is based off of `MultiPartRequestWrapper`, which is automatically applied for any request that includes +a file. If an action implements `org.apache.struts2.action.UploadedFilesAware` interface, the interceptor will pass +information and content of uploaded files using the callback method `withUploadedFiles(List<UploadedFile>)`. + +See the example code section. + +This interceptor will add several field errors, assuming that the action implements `ValidationAware`. These error messages +are based on several i18n values stored in `struts-messages.properties`, a default i18n file processed for all i18n requests. +You can override the text of these messages by providing text for the following keys: + + - `struts.messages.error.uploading` - a general error that occurs when the file could not be uploaded + - `struts.messages.error.file.too.large` - occurs when the uploaded file is too large + - `struts.messages.error.content.type.not.allowed` - occurs when the uploaded file does not match the expected content + types specified + - `struts.messages.error.file.extension.not.allowed` - occurs when the uploaded file does not match the expected + file extensions specified + +## Parameters + + - `maximumSize` (optional) - the maximum size (in bytes) that the interceptor will allow a file reference to be set + on the action. Note, this is <b>not</b> related to the various properties found in struts.properties. + Default to approximately 2MB. + - `allowedTypes` (optional) - a comma separated list of content types (ie: `text/html`) that the interceptor will allow + a file reference to be set on the action. If none is specified allow all types to be uploaded. + - `allowedExtensions` (optional) - a comma separated list of file extensions (ie: `.html`) that the interceptor will allow + a file reference to be set on the action. If none is specified allow all extensions to be uploaded. + +## Extending the Interceptor + +You can extend this interceptor and override the acceptFile method to provide more control over which files are supported +and which are not. + +## Examples + +**Example action mapping:** + +```xml + <action name="doUpload" class="com.example.UploadAction"> + <interceptor-ref name="actionFileUpload"/> + <interceptor-ref name="basicStack"/> + <result name="success">good_result.jsp</result> + </action> + +``` + +Notice the interceptor configuration in the preceding example\. + +**Example JSP form tags:** + +```xml + <s:form action="doUpload" method="post" enctype="multipart/form-data"> + <s:file name="upload" label="File"/> + <s:submit/> + </s:form> + +``` + +You must set the encoding to <code>multipart/form-data</code> in the form where the user selects the file to upload. + +**Example Action class:** + +```java +public class UploadAction extends ActionSupport implements UploadedFilesAware { + private UploadedFile uploadedFile; + private String contentType; + private String fileName; + private String originalName; + + @Override + public void withUploadedFiles(List<UploadedFile> uploadedFiles) { + if (!uploadedFiles.isEmpty() > 0) { Review Comment: Think you can drop the `> 0` ########## source/core-developers/file-upload.md: ########## @@ -21,11 +24,13 @@ than the temporary directory and the directories that belong to your web applica The Struts 2 framework leverages the Commons FileUpload library as a based library to support file upload in the framework. The library is included in a base Struts 2 distribution. +> NOTE: Since Struts 6.4.0 the `FileUploadInterceptor` is deprecated and you should use `ActionFileUploadInterceptor` instead! + ## Basic Usage -The `org.apache.struts2.interceptor.FileUploadInterceptor` class is included as part of the `defaultStack`. As long as -the required libraries are added to your project you will be able to take advantage of the Struts 2 file upload -capability. Configure an Action mapping for your Action class as you typically would. +The `org.apache.struts2.interceptor.FileUploadInterceptor` and `org.apache.struts2.interceptor.ActionFileUploadInterceptor` +classes is included as part of the `defaultStack`. As long as the required libraries are added to your project you will be able Review Comment: `classes **are** included` Issue Time Tracking ------------------- Worklog Id: (was: 898910) Time Spent: 1.5h (was: 1h 20m) > Use action based callback to transfer information about uploaded files > ---------------------------------------------------------------------- > > Key: WW-5371 > URL: https://issues.apache.org/jira/browse/WW-5371 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors > Reporter: Lukasz Lenart > Assignee: Lukasz Lenart > Priority: Major > Fix For: 6.4.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > Based on experience of the latest security vulnerability (CVE-2023-50164) it > would be better to keep uploaded files out of scope of passed parameters. > The idea is to have a dedicated interceptor and *Aware interface instead of > using parameter injection as it happens currently. -- This message was sent by Atlassian Jira (v8.20.10#820010)