I've just verified that the detected behaviour (upload bombs when
form validation fails) has reason. When a validation error occurs
the following code gets executed:
//does our form have a multipart request?
if (formInstance.getMultipartRequestHandler() != null) {
//rollback the request
if (debug > 1) {
log(" Rolling back the multipart request");
}
formInstance.getMultipartRequestHandler().rollback();
}
...
rd.forward(request, response);
return (false);
What is missing here is the code snippet from the normal executionpath:
//set the request back to it's normal state if it's currently wrapped,
//to avoid ClassCastExceptions from ServletContainers if forwarding
if (request instanceof MultipartRequestWrapper) {
request = ((MultipartRequestWrapper) request).getRequest();
}
That's only one point, but the whole ActionServlet code should be scanned
through as there are places (e.g. the forward and include mapping type for
the first sight) where the same problem seems to occur.
incze
