jsr369-experts@servlet-spec.java.net

[jsr369-experts] Re: Part write clarification?

From: Stuart Douglas <sdouglas_at_redhat.com>
Date: Thu, 9 Mar 2017 07:20:53 +1100

For what it is worth we also implement the Tomcat behavior.

If we do make this behavior official we should probably put a warning
on the javadoc about it being up to the application to make sure the
path that is passed in is safe.

For relative paths I think we should probably throw an exception if
the resulting path is outside the base path (e.g. files like
../../../somefile.txt).

Stuart

On Wed, Mar 8, 2017 at 6:09 PM, Greg Wilkins <gregw_at_webtide.com> wrote:
>
> All,
>
> Janb has asked me to seek clarification on the Part.write(String) method.
>
> The spec for @MultipartConfiguration.location says:
>
>> The location attribute of the javax.servlet.annotation.MultipartConfig and
>> the <location> element of the <multipart-config> is interpreted as an
>> absolute path and defaults to the value of the
>> javax.servlet.context.tempdir. If a relative path is specified, it will be
>> relative to the tempdir location. The test for absolute path vs relative
>> path MUST be done via java.io.File.isAbsolute.
>
>
> The javadoc for Part.write(String fileName) says:
>
>> fileName - the name of the file to which the stream will be written. The
>> file is created relative to the location as specified in the MultipartConfig
>
>
> It is not clear whether fileName should be interpreted as a Path or not, nor
> what should be the result if it specifies an absolute location, or contains
> special path elements such as "." or "..".
>
> Should an absolute filename throw an IAE or should it just be interpreted
> relative to the config location? What if the filename is something like
> "C:\\foo\bar"?
>
>
> Tomcat have changed the javadoc on their version of the API to say:
>
>> @param fileName The location into which the uploaded part should be
>> stored. Relative locations are relative to {_at_link
>> javax.servlet.MultipartConfigElement#getLocation()}
>
>
> For which we have raised an issue:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60802
> and Spring Framework at least is expecting the tomcat behaviour as reported
> in this Jetty bug: https://github.com/eclipse/jetty.project/issues/1337
>
>
> I don't mind the Tomcat version (modulo some security concerns about
> allowing the container to try to write to any old path), but would prefer if
> the official version could clarify how absolute paths should be handled.
>
> cheers
>
>
>
>
> --
> Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.