All,
Janb has asked me to seek clarification on the Part.write(String) method.
The spec for @MultipartConfiguration.location says:
The location attribute of the javax.servlet.annotation.MultipartConfig and
> the <location> element of the <multipart-config> is interpreted as an
> absolute path and defaults to the value of the
> javax.servlet.context.tempdir. If a relative path is specified, it will be
> relative to the tempdir location. The test for absolute path vs relative
> path MUST be done via java.io.File.isAbsolute.
The javadoc for Part.write(String fileName) says:
fileName - the name of the file to which the stream will be written. The
> file is created relative to the location as specified in the MultipartConfig
It is not clear whether fileName should be interpreted as a Path or not,
nor what should be the result if it specifies an absolute location, or
contains special path elements such as "." or "..".
Should an absolute filename throw an IAE or should it just be interpreted
relative to the config location? What if the filename is something like
"C:\\foo\bar"?
Tomcat have changed the javadoc on their version of the API to say:
@param fileName The location into which the uploaded part should be
> stored. Relative locations are relative to {_at_link
> javax.servlet.MultipartConfigElement#getLocation()}
For which we have raised an issue:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60802
and Spring Framework at least is expecting the tomcat behaviour as reported
in this Jetty bug:
https://github.com/eclipse/jetty.project/issues/1337
I don't mind the Tomcat version (modulo some security concerns about
allowing the container to try to write to any old path), but would prefer
if the official version could clarify how absolute paths should be handled.
cheers
--
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com