Re: Servlet 3.0 File Upload

2011-09-06 Thread Ole Ersoy

Thanks guys!

Ole

On 09/03/2011 10:51 AM, Konstantin Preißer wrote:

Hi,


-Original Message-
From: Jonathan Soons [mailto:jso...@juilliard.edu]
Sent: Saturday, September 03, 2011 2:24 PM
To: Ole Ersoy; Tomcat Users List
Subject: RE: Servlet 3.0 File Upload

You need to add a line in in your form:
input type=text name=filename /

Then in your servlet GetPost() method you put this filename in a
variable:
String filename;
filename = req.getParameter(filename);

Then instead of part.write(samplefile);
do:
part.write(filename);



Doesn't that mean that the user has to enter the filename by himself?

What I usually do to get the filename is:

Part uploadPart = request.getPart(uploadfield); // get the Part
String contDispoHeader = uploadPart.getHeader(Content-Disposition); // get 
Content-Disposition header
String uploadFilename = null;
if (contDispoHeader != null) {
try {
uploadFilename = new 
ContentDisposition(contDispoHeader).getParameter(filename);
} catch (ParseException e) { }
}

Note that ContentDisposition class is from JavaMail package 
(javax.mail.internet.ContentDisposition). Browser usually send filenames in the 
filename parameter of a Content-Disposition header.


Regards,

Konstantin Preißer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Konstantin,

On 9/3/2011 11:51 AM, Konstantin Preißer wrote:
 What I usually do to get the filename is:
 
 Part uploadPart = request.getPart(uploadfield); // get the Part 
 String contDispoHeader =
 uploadPart.getHeader(Content-Disposition); // get
 Content-Disposition header String uploadFilename = null; if
 (contDispoHeader != null) { try { uploadFilename = new
 ContentDisposition(contDispoHeader).getParameter(filename); }
 catch (ParseException e) { } }

It seems dangerous to allow the client to specify the file name. All
kinds of bad things can happen such as specifying special file names
(does PRN still work in win32? through Java?) or overwriting files
from other clients.

I would highly recommend that some portion of the temporary file name
be completely random, as well as using something keyed on the request
to disambiguate the file as well.

I usually just use File.createTempFile, though performance of that
method can be less than ideal.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mb14ACgkQ9CaO5/Lv0PAYTACgi6ldsMdMYH4v3XLdfv5J6+U4
zh8An17xhq5gBZ1FJ5ElFLzXd1XVLX0q
=groU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-06 Thread verlag.preis...@t-online.de

Hi Chris,
 
 It seems dangerous to allow the client to specify the file name. All
 kinds of bad things can happen such as specifying special file names
 (does PRN still work in win32? through Java?) or overwriting files
 from other clients.
 
 I would highly recommend that some portion of the temporary file name
 be completely random, as well as using something keyed on the request
 to disambiguate the file as well.

did you read my other reply to that thread? ;-)

Of course, I don't use that filename to save that file on the server (I assumed 
it is completely clear that one wouldn't do this). But I want to use the 
filename for displaying purposes.
E.g., I have a web application where the user can upload pictures, combined to 
a picture gallery (http://bildergalerie.pleier-it.de/ , it is a German site 
however, using TC 7). On uploading, the server reads the submitted filename and 
stores it in a field in the corresponding DB entry (without the file ending). 
Then it generates a filename based on the DB Row-ID (not on the filename) to 
actually store that image.
When the user visits the site, it displays miniature icons, using the filename 
field of the DB entry as description. Or, if the user choses to download the 
file, I can append a Content-Disposition header 
(javax.mail.internet.ContentDisposition) and set a filename parameter, so the 
user's browser download dialog can display the original filename (or a new 
name, if he edited the entry), without the actual URL having to contain that 
filename.  :)


Regards,

Konstantin Preißer



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-05 Thread André Warnier

This must be about the worst advice I have ever seen.
What about someone typing e.g. /etc/passwd in that text box?

If you allow people to upload files to your server, you should create your own location 
and naming scheme for the uploaded files.  You should not even use the original filename, 
unless you are dying to experience all the silly things that people can think of in terms 
of filenames (with spaces in them, or characters that are valid on one platform but not 
another, or characters in various character sets and so on.)



Jonathan Soons wrote:

You need to add a line in in your form:
input type=text name=filename /

Then in your servlet GetPost() method you put this filename in a variable:
String filename;
filename = req.getParameter(filename);

Then instead of part.write(samplefile);
do:
part.write(filename);

Jonathan Soons

From: Ole Ersoy [ole.er...@gmail.com]
Sent: Friday, September 02, 2011 6:50 PM
To: Tomcat Users List
Subject: Servlet 3.0 File Upload

Hi,

I have a working file upload servlet, with the exception that it calls the uploaded file 
samplefile instead of using the name of the file.  So if I upload different 
files, they all overwrite each other.  Any ideas on how to fix this?  I used this 
tutorial to get it working:

http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html

TIA,
- Ole


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-05 Thread Ole Ersoy

Thank you for the advice.  I'll stick to hard coded file locations and names :).

Thanks again,
- Ole

On 09/05/2011 03:22 AM, André Warnier wrote:

This must be about the worst advice I have ever seen.
What about someone typing e.g. /etc/passwd in that text box?

If you allow people to upload files to your server, you should create
your own location and naming scheme for the uploaded files. You should
not even use the original filename, unless you are dying to experience
all the silly things that people can think of in terms of filenames
(with spaces in them, or characters that are valid on one platform but
not another, or characters in various character sets and so on.)


Jonathan Soons wrote:

You need to add a line in in your form:
input type=text name=filename /

Then in your servlet GetPost() method you put this filename in a
variable:
String filename;
filename = req.getParameter(filename);

Then instead of part.write(samplefile);
do:
part.write(filename);

Jonathan Soons

From: Ole Ersoy [ole.er...@gmail.com]
Sent: Friday, September 02, 2011 6:50 PM
To: Tomcat Users List
Subject: Servlet 3.0 File Upload

Hi,

I have a working file upload servlet, with the exception that it calls
the uploaded file samplefile instead of using the name of the file.
So if I upload different files, they all overwrite each other. Any
ideas on how to fix this? I used this tutorial to get it working:

http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html


TIA,
- Ole


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-05 Thread Ole Ersoy

Thank you for the advice.  I'll stick to hard coded file locations and names :).

Thanks again,
- Ole

On 09/05/2011 03:22 AM, André Warnier wrote:

This must be about the worst advice I have ever seen.
What about someone typing e.g. /etc/passwd in that text box?

If you allow people to upload files to your server, you should create
your own location and naming scheme for the uploaded files. You should
not even use the original filename, unless you are dying to experience
all the silly things that people can think of in terms of filenames
(with spaces in them, or characters that are valid on one platform but
not another, or characters in various character sets and so on.)


Jonathan Soons wrote:

You need to add a line in in your form:
input type=text name=filename /

Then in your servlet GetPost() method you put this filename in a
variable:
String filename;
filename = req.getParameter(filename);

Then instead of part.write(samplefile);
do:
part.write(filename);

Jonathan Soons

From: Ole Ersoy [ole.er...@gmail.com]
Sent: Friday, September 02, 2011 6:50 PM
To: Tomcat Users List
Subject: Servlet 3.0 File Upload

Hi,

I have a working file upload servlet, with the exception that it calls
the uploaded file samplefile instead of using the name of the file.
So if I upload different files, they all overwrite each other. Any
ideas on how to fix this? I used this tutorial to get it working:

http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html


TIA,
- Ole


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Servlet 3.0 File Upload

2011-09-03 Thread Jonathan Soons
You need to add a line in in your form:
input type=text name=filename /

Then in your servlet GetPost() method you put this filename in a variable:
String filename;
filename = req.getParameter(filename);

Then instead of part.write(samplefile);
do:
part.write(filename);

Jonathan Soons

From: Ole Ersoy [ole.er...@gmail.com]
Sent: Friday, September 02, 2011 6:50 PM
To: Tomcat Users List
Subject: Servlet 3.0 File Upload

Hi,

I have a working file upload servlet, with the exception that it calls the 
uploaded file samplefile instead of using the name of the file.  So if I 
upload different files, they all overwrite each other.  Any ideas on how to fix 
this?  I used this tutorial to get it working:

http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html

TIA,
- Ole


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Servlet 3.0 File Upload

2011-09-03 Thread Konstantin Preißer
Hi,

 -Original Message-
 From: Jonathan Soons [mailto:jso...@juilliard.edu]
 Sent: Saturday, September 03, 2011 2:24 PM
 To: Ole Ersoy; Tomcat Users List
 Subject: RE: Servlet 3.0 File Upload
 
 You need to add a line in in your form:
 input type=text name=filename /
 
 Then in your servlet GetPost() method you put this filename in a
 variable:
 String filename;
 filename = req.getParameter(filename);
 
 Then instead of part.write(samplefile);
 do:
 part.write(filename);
 

Doesn't that mean that the user has to enter the filename by himself?

What I usually do to get the filename is:

Part uploadPart = request.getPart(uploadfield); // get the Part
String contDispoHeader = uploadPart.getHeader(Content-Disposition); // get 
Content-Disposition header
String uploadFilename = null;
if (contDispoHeader != null) {
try {
uploadFilename = new 
ContentDisposition(contDispoHeader).getParameter(filename);
} catch (ParseException e) { }
}

Note that ContentDisposition class is from JavaMail package 
(javax.mail.internet.ContentDisposition). Browser usually send filenames in the 
filename parameter of a Content-Disposition header.


Regards,

Konstantin Preißer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-03 Thread chris derham
  You need to add a line in in your form:
  input type=text name=filename /
 
  Then in your servlet GetPost() method you put this filename in a
  variable:
  String filename;
  filename = req.getParameter(filename);
 
  Then instead of part.write(samplefile);
  do:
  part.write(filename);


Letting the remote user control the name of the file that is written to disk
exposes a potential security risk. Due to bad configuration, the posted name
may allow the caller to save arbitrary files anywhere they wish. The server
should generate the name that is used to save the file to remove this risk

Chris


RE: Servlet 3.0 File Upload

2011-09-03 Thread Konstantin Preißer
Hi,

 -Original Message-
 From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris
 derham
 Sent: Saturday, September 03, 2011 6:51 PM
 To: Tomcat Users List
 Subject: Re: Servlet 3.0 File Upload
 
 
 Letting the remote user control the name of the file that is written to
 disk
 exposes a potential security risk. Due to bad configuration, the posted
 name
 may allow the caller to save arbitrary files anywhere they wish. The
 server
 should generate the name that is used to save the file to remove this
 risk
 
 Chris

Yes, the user could supply a name like ../../badfile.exe (even in the 
Content-Disposition header) to inject a file anywhere in the file system. Of 
course, one shouldn't use the supplied filename to save the file on the server. 
I usually make a DB entry with the supplied filename stored in a text field, 
and use the ID of the entry to generate a filename where the actual file 
contents are stored. The supplied filename is then only for displaying purposes.


Regards,

Konstantin Preißer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Servlet 3.0 File Upload

2011-09-02 Thread Ole Ersoy

Hi,

I have a working file upload servlet, with the exception that it calls the uploaded file 
samplefile instead of using the name of the file.  So if I upload different 
files, they all overwrite each other.  Any ideas on how to fix this?  I used this 
tutorial to get it working:

http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html

TIA,
- Ole   


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Servlet 3.0 File Upload

2011-09-02 Thread Ole Ersoy

Never mind...I see the example hard codes the name of the file.  Sorry for the 
noise.

On 09/02/2011 05:50 PM, Ole Ersoy wrote:

Hi,

I have a working file upload servlet, with the exception that it calls
the uploaded file samplefile instead of using the name of the file. So
if I upload different files, they all overwrite each other. Any ideas on
how to fix this? I used this tutorial to get it working:

http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html


TIA,
- Ole


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org