Re: Servlet 3.0 File Upload
Thanks guys! Ole On 09/03/2011 10:51 AM, Konstantin Preißer wrote: Hi, -Original Message- From: Jonathan Soons [mailto:jso...@juilliard.edu] Sent: Saturday, September 03, 2011 2:24 PM To: Ole Ersoy; Tomcat Users List Subject: RE: Servlet 3.0 File Upload You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Doesn't that mean that the user has to enter the filename by himself? What I usually do to get the filename is: Part uploadPart = request.getPart(uploadfield); // get the Part String contDispoHeader = uploadPart.getHeader(Content-Disposition); // get Content-Disposition header String uploadFilename = null; if (contDispoHeader != null) { try { uploadFilename = new ContentDisposition(contDispoHeader).getParameter(filename); } catch (ParseException e) { } } Note that ContentDisposition class is from JavaMail package (javax.mail.internet.ContentDisposition). Browser usually send filenames in the filename parameter of a Content-Disposition header. Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Konstantin, On 9/3/2011 11:51 AM, Konstantin Preißer wrote: What I usually do to get the filename is: Part uploadPart = request.getPart(uploadfield); // get the Part String contDispoHeader = uploadPart.getHeader(Content-Disposition); // get Content-Disposition header String uploadFilename = null; if (contDispoHeader != null) { try { uploadFilename = new ContentDisposition(contDispoHeader).getParameter(filename); } catch (ParseException e) { } } It seems dangerous to allow the client to specify the file name. All kinds of bad things can happen such as specifying special file names (does PRN still work in win32? through Java?) or overwriting files from other clients. I would highly recommend that some portion of the temporary file name be completely random, as well as using something keyed on the request to disambiguate the file as well. I usually just use File.createTempFile, though performance of that method can be less than ideal. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mb14ACgkQ9CaO5/Lv0PAYTACgi6ldsMdMYH4v3XLdfv5J6+U4 zh8An17xhq5gBZ1FJ5ElFLzXd1XVLX0q =groU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
Hi Chris, It seems dangerous to allow the client to specify the file name. All kinds of bad things can happen such as specifying special file names (does PRN still work in win32? through Java?) or overwriting files from other clients. I would highly recommend that some portion of the temporary file name be completely random, as well as using something keyed on the request to disambiguate the file as well. did you read my other reply to that thread? ;-) Of course, I don't use that filename to save that file on the server (I assumed it is completely clear that one wouldn't do this). But I want to use the filename for displaying purposes. E.g., I have a web application where the user can upload pictures, combined to a picture gallery (http://bildergalerie.pleier-it.de/ , it is a German site however, using TC 7). On uploading, the server reads the submitted filename and stores it in a field in the corresponding DB entry (without the file ending). Then it generates a filename based on the DB Row-ID (not on the filename) to actually store that image. When the user visits the site, it displays miniature icons, using the filename field of the DB entry as description. Or, if the user choses to download the file, I can append a Content-Disposition header (javax.mail.internet.ContentDisposition) and set a filename parameter, so the user's browser download dialog can display the original filename (or a new name, if he edited the entry), without the actual URL having to contain that filename. :) Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
This must be about the worst advice I have ever seen. What about someone typing e.g. /etc/passwd in that text box? If you allow people to upload files to your server, you should create your own location and naming scheme for the uploaded files. You should not even use the original filename, unless you are dying to experience all the silly things that people can think of in terms of filenames (with spaces in them, or characters that are valid on one platform but not another, or characters in various character sets and so on.) Jonathan Soons wrote: You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Jonathan Soons From: Ole Ersoy [ole.er...@gmail.com] Sent: Friday, September 02, 2011 6:50 PM To: Tomcat Users List Subject: Servlet 3.0 File Upload Hi, I have a working file upload servlet, with the exception that it calls the uploaded file samplefile instead of using the name of the file. So if I upload different files, they all overwrite each other. Any ideas on how to fix this? I used this tutorial to get it working: http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html TIA, - Ole - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
Thank you for the advice. I'll stick to hard coded file locations and names :). Thanks again, - Ole On 09/05/2011 03:22 AM, André Warnier wrote: This must be about the worst advice I have ever seen. What about someone typing e.g. /etc/passwd in that text box? If you allow people to upload files to your server, you should create your own location and naming scheme for the uploaded files. You should not even use the original filename, unless you are dying to experience all the silly things that people can think of in terms of filenames (with spaces in them, or characters that are valid on one platform but not another, or characters in various character sets and so on.) Jonathan Soons wrote: You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Jonathan Soons From: Ole Ersoy [ole.er...@gmail.com] Sent: Friday, September 02, 2011 6:50 PM To: Tomcat Users List Subject: Servlet 3.0 File Upload Hi, I have a working file upload servlet, with the exception that it calls the uploaded file samplefile instead of using the name of the file. So if I upload different files, they all overwrite each other. Any ideas on how to fix this? I used this tutorial to get it working: http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html TIA, - Ole - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
Thank you for the advice. I'll stick to hard coded file locations and names :). Thanks again, - Ole On 09/05/2011 03:22 AM, André Warnier wrote: This must be about the worst advice I have ever seen. What about someone typing e.g. /etc/passwd in that text box? If you allow people to upload files to your server, you should create your own location and naming scheme for the uploaded files. You should not even use the original filename, unless you are dying to experience all the silly things that people can think of in terms of filenames (with spaces in them, or characters that are valid on one platform but not another, or characters in various character sets and so on.) Jonathan Soons wrote: You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Jonathan Soons From: Ole Ersoy [ole.er...@gmail.com] Sent: Friday, September 02, 2011 6:50 PM To: Tomcat Users List Subject: Servlet 3.0 File Upload Hi, I have a working file upload servlet, with the exception that it calls the uploaded file samplefile instead of using the name of the file. So if I upload different files, they all overwrite each other. Any ideas on how to fix this? I used this tutorial to get it working: http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html TIA, - Ole - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Servlet 3.0 File Upload
You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Jonathan Soons From: Ole Ersoy [ole.er...@gmail.com] Sent: Friday, September 02, 2011 6:50 PM To: Tomcat Users List Subject: Servlet 3.0 File Upload Hi, I have a working file upload servlet, with the exception that it calls the uploaded file samplefile instead of using the name of the file. So if I upload different files, they all overwrite each other. Any ideas on how to fix this? I used this tutorial to get it working: http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html TIA, - Ole - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Servlet 3.0 File Upload
Hi, -Original Message- From: Jonathan Soons [mailto:jso...@juilliard.edu] Sent: Saturday, September 03, 2011 2:24 PM To: Ole Ersoy; Tomcat Users List Subject: RE: Servlet 3.0 File Upload You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Doesn't that mean that the user has to enter the filename by himself? What I usually do to get the filename is: Part uploadPart = request.getPart(uploadfield); // get the Part String contDispoHeader = uploadPart.getHeader(Content-Disposition); // get Content-Disposition header String uploadFilename = null; if (contDispoHeader != null) { try { uploadFilename = new ContentDisposition(contDispoHeader).getParameter(filename); } catch (ParseException e) { } } Note that ContentDisposition class is from JavaMail package (javax.mail.internet.ContentDisposition). Browser usually send filenames in the filename parameter of a Content-Disposition header. Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
You need to add a line in in your form: input type=text name=filename / Then in your servlet GetPost() method you put this filename in a variable: String filename; filename = req.getParameter(filename); Then instead of part.write(samplefile); do: part.write(filename); Letting the remote user control the name of the file that is written to disk exposes a potential security risk. Due to bad configuration, the posted name may allow the caller to save arbitrary files anywhere they wish. The server should generate the name that is used to save the file to remove this risk Chris
RE: Servlet 3.0 File Upload
Hi, -Original Message- From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris derham Sent: Saturday, September 03, 2011 6:51 PM To: Tomcat Users List Subject: Re: Servlet 3.0 File Upload Letting the remote user control the name of the file that is written to disk exposes a potential security risk. Due to bad configuration, the posted name may allow the caller to save arbitrary files anywhere they wish. The server should generate the name that is used to save the file to remove this risk Chris Yes, the user could supply a name like ../../badfile.exe (even in the Content-Disposition header) to inject a file anywhere in the file system. Of course, one shouldn't use the supplied filename to save the file on the server. I usually make a DB entry with the supplied filename stored in a text field, and use the ID of the entry to generate a filename where the actual file contents are stored. The supplied filename is then only for displaying purposes. Regards, Konstantin Preißer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Servlet 3.0 File Upload
Hi, I have a working file upload servlet, with the exception that it calls the uploaded file samplefile instead of using the name of the file. So if I upload different files, they all overwrite each other. Any ideas on how to fix this? I used this tutorial to get it working: http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html TIA, - Ole - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Servlet 3.0 File Upload
Never mind...I see the example hard codes the name of the file. Sorry for the noise. On 09/02/2011 05:50 PM, Ole Ersoy wrote: Hi, I have a working file upload servlet, with the exception that it calls the uploaded file samplefile instead of using the name of the file. So if I upload different files, they all overwrite each other. Any ideas on how to fix this? I used this tutorial to get it working: http://www.servletworld.com/servlet-tutorials/servlet3/multipartconfig-file-upload-example.html TIA, - Ole - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org