-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Konstantin,
On 9/3/2011 11:51 AM, Konstantin Preißer wrote:
> What I usually do to get the filename is:
>
> Part uploadPart = request.getPart("uploadfield"); // get the Part
> String contDispoHeader =
> uploadPart.getHeader("Content-Disposition"); // get
> Content-Disposition header String uploadFilename = null; if
> (contDispoHeader != null) { try { uploadFilename = new
> ContentDisposition(contDispoHeader).getParameter("filename"); }
> catch (ParseException e) { } }
It seems dangerous to allow the client to specify the file name. All
kinds of bad things can happen such as specifying special file names
(does "PRN" still work in win32? through Java?) or overwriting files
from other clients.
I would highly recommend that some portion of the temporary file name
be completely random, as well as using something keyed on the request
to disambiguate the file as well.
I usually just use File.createTempFile, though performance of that
method can be less than ideal.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5mb14ACgkQ9CaO5/Lv0PAYTACgi6ldsMdMYH4v3XLdfv5J6+U4
zh8An17xhq5gBZ1FJ5ElFLzXd1XVLX0q
=groU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
