[
https://issues.apache.org/jira/browse/WW-5520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alireza Fattahi updated WW-5520:
--------------------------------
Description:
According to security policies we should log different events and errors during
file upload. Example of these events are:
# file type is not right
# file format is not right
# file is too big
# user has uploaded successfully
We find the only solution is to replace our own `{*}AbstractInterceptor{*}` and
`{*}ActionFileUploadInterceptor{*}` to achieve this. We copied
`{*}AbstractInterceptor{*}` and `{*}ActionFileUploadInterceptor{*}` sources
(from struts) and put the log commands inside the classes.
example
{code:java}
// Part of AbstractInterceptor line 145:
if (maximumSize != null && maximumSize < file.length()) {
String errMsg = getTextMessage(action,
STRUTS_MESSAGES_ERROR_FILE_TOO_LARGE_KEY, new String[]{
inputName, originalFilename, file.getName(), "" +
file.length(), getMaximumSizeStr(action)
});
errorMessages.add(errMsg);
LOG.warn(errMsg);
//@Addby project
logsecurity.putLog("validation failed" + file.getOriginalName() + "
file is too big");
} {code}
Although it works but seems not a good solution at all. Is it better way.
was:
According to security policies we should log different events and errors during
file upload. Example of these events are:
# file is type is not right
# file is format is not right
# file is too big
# user has uploaded successfully
We find the only solution is to replace our own `{*}AbstractInterceptor{*}` and
`{*}ActionFileUploadInterceptor{*}` to achieve this. We copied
`{*}AbstractInterceptor{*}` and `{*}ActionFileUploadInterceptor{*}` sources
(from struts) and put the log commands inside the classes.
example
{code:java}
// Part of AbstractInterceptor line 145:
if (maximumSize != null && maximumSize < file.length()) {
String errMsg = getTextMessage(action,
STRUTS_MESSAGES_ERROR_FILE_TOO_LARGE_KEY, new String[]{
inputName, originalFilename, file.getName(), "" +
file.length(), getMaximumSizeStr(action)
});
errorMessages.add(errMsg);
LOG.warn(errMsg);
//@Addby project
logsecurity.putLog("validation failed" + file.getOriginalName() + "
file is too big");
} {code}
Although it works but seems not a good solution at all. Is it better way.
> Fileupload Events
> -----------------
>
> Key: WW-5520
> URL: https://issues.apache.org/jira/browse/WW-5520
> Project: Struts 2
> Issue Type: Improvement
> Reporter: Alireza Fattahi
> Priority: Minor
> Fix For: 7.1.0
>
>
> According to security policies we should log different events and errors
> during file upload. Example of these events are:
> # file type is not right
> # file format is not right
> # file is too big
> # user has uploaded successfully
> We find the only solution is to replace our own `{*}AbstractInterceptor{*}`
> and `{*}ActionFileUploadInterceptor{*}` to achieve this. We copied
> `{*}AbstractInterceptor{*}` and `{*}ActionFileUploadInterceptor{*}` sources
> (from struts) and put the log commands inside the classes.
> example
> {code:java}
> // Part of AbstractInterceptor line 145:
> if (maximumSize != null && maximumSize < file.length()) {
> String errMsg = getTextMessage(action,
> STRUTS_MESSAGES_ERROR_FILE_TOO_LARGE_KEY, new String[]{
> inputName, originalFilename, file.getName(), "" +
> file.length(), getMaximumSizeStr(action)
> });
> errorMessages.add(errMsg);
> LOG.warn(errMsg);
> //@Addby project
> logsecurity.putLog("validation failed" + file.getOriginalName() +
> " file is too big");
> } {code}
> Although it works but seems not a good solution at all. Is it better way.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
