DBNT
/
FAISP
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
FAISP/libs/commons-fileupload-1.4-bin/site/faq.html

459 lines
20 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 24 December 2018
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="iso-8859-1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20181224" />
<meta http-equiv="Content-Language" content="en" />
<title>FileUpload &#x2013; FileUpload FAQ</title>
<link rel="stylesheet" href="./css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="./css/site.css" type="text/css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/jquery.min.js"></script>
<script type="text/javascript" src="./js/bootstrap.min.js"></script>
<script type="text/javascript" src="./js/prettify.min.js"></script>
<script type="text/javascript" src="./js/site.js"></script>
</head>
<body class="composite">
<a href="http://commons.apache.org/" id="bannerLeft" title="Apache Commons logo">
<img class="logo-left" src="./images/commons-logo.png" alt="Apache Commons logo"/>
</a>
<a href="index.html" id="bannerRight">
<img class="logo-right" src="images/logo.png" alt="Commons FileUpload"/>
</a>
<div class="clear"></div>
<div class="navbar">
<div class="navbar-inner">
<div class="container-fluid">
<a class="brand" href="http://commons.apache.org/proper/commons-fileupload/">Apache Commons FileUpload &trade;</a>
<ul class="nav">
<li id="publishDate">Last Published: 24 December 2018</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.4</li>
</ul>
<div class="pull-right"> <ul class="nav">
<li>
<a href="http://www.apachecon.com/" class="externalLink" title="ApacheCon">
ApacheCon</a>
</li>
<li>
<a href="http://www.apache.org" class="externalLink" title="Apache">
Apache</a>
</li>
<li>
<a href="../../" title="Commons">
Commons</a>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="container-fluid">
<table class="layout-table">
<tr>
<td class="sidebar">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">Commons FileUpload</li>
<li class="none">
<a href="index.html" title="Overview">
Overview</a>
</li>
<li class="none">
<a href="using.html" title="User guide">
User guide</a>
</li>
<li class="none">
<a href="streaming.html" title="Streaming API">
Streaming API</a>
</li>
<li class="none active">
<a href="faq.html" title="FAQ">
FAQ</a>
</li>
<li class="none">
<a href="javadocs/api-release/index.html" title="Javadoc (Latest release)">
Javadoc (Latest release)</a>
</li>
<li class="none">
<a href="download_fileupload.cgi" title="Download">
Download</a>
</li>
<li class="none">
<a href="security-reports.html" title="Security Reports">
Security Reports</a>
</li>
<li class="none">
<a href="mail-lists.html" title="Mailing lists">
Mailing lists</a>
</li>
<li class="none">
<a href="issue-tracking.html" title="Issue Tracking">
Issue Tracking</a>
</li>
<li class="none">
<a href="team-list.html" title="Team">
Team</a>
</li>
<li class="none">
<a href="source-repository.html" title="Source repository">
Source repository</a>
</li>
</ul>
<ul class="nav nav-list">
<li class="nav-header"><i class="icon-info-sign"></i>Project Documentation</li>
<li class="collapsed">
<a href="project-info.html" title="Project Information">
Project Information</a>
</li>
<li class="collapsed">
<a href="project-reports.html" title="Project Reports">
Project Reports</a>
</li>
</ul>
<ul class="nav nav-list">
<li class="nav-header">Commons</li>
<li class="none">
<a href="../../" title="Home">
Home</a>
</li>
<li class="none">
<a href="http://www.apache.org/licenses/" class="externalLink" title="License">
License</a>
</li>
<li class="collapsed">
<a href="../../components.html" title="Components">
Components</a>
</li>
<li class="collapsed">
<a href="../../sandbox/index.html" title="Sandbox">
Sandbox</a>
</li>
<li class="collapsed">
<a href="../../dormant/index.html" title="Dormant">
Dormant</a>
</li>
</ul>
<ul class="nav nav-list">
<li class="nav-header">General Information</li>
<li class="none">
<a href="../../security.html" title="Security">
Security</a>
</li>
<li class="none">
<a href="../../volunteering.html" title="Volunteering">
Volunteering</a>
</li>
<li class="none">
<a href="../../patches.html" title="Contributing Patches">
Contributing Patches</a>
</li>
<li class="none">
<a href="../../building.html" title="Building Components">
Building Components</a>
</li>
<li class="none">
<a href="../../commons-parent-pom.html" title="Commons Parent Pom">
Commons Parent Pom</a>
</li>
<li class="none">
<a href="../../build-plugin/index.html" title="Commons Build Plugin">
Commons Build Plugin</a>
</li>
<li class="none">
<a href="../../releases/index.html" title="Releasing Components">
Releasing Components</a>
</li>
<li class="none">
<a href="http://wiki.apache.org/commons/FrontPage" class="externalLink" title="Wiki">
Wiki</a>
</li>
</ul>
<ul class="nav nav-list">
<li class="nav-header">ASF</li>
<li class="none">
<a href="http://www.apache.org/foundation/how-it-works.html" class="externalLink" title="How the ASF works">
How the ASF works</a>
</li>
<li class="none">
<a href="http://www.apache.org/foundation/getinvolved.html" class="externalLink" title="Get Involved">
Get Involved</a>
</li>
<li class="none">
<a href="http://www.apache.org/dev/" class="externalLink" title="Developer Resources">
Developer Resources</a>
</li>
<li class="none">
<a href="http://www.apache.org/foundation/policies/conduct.html" class="externalLink" title="Code of Conduct">
Code of Conduct</a>
</li>
<li class="none">
<a href="http://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsorship">
Sponsorship</a>
</li>
<li class="none">
<a href="http://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks">
Thanks</a>
</li>
</ul>
</div>
<div id="poweredBy">
<a href="http://www.apache.org/events/current-event.html" title="ApacheCon" class="builtBy">
<img class="builtBy" alt="ApacheCon" src="http://www.apache.org/events/current-event-125x125.png" />
</a>
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
<img class="builtBy" alt="Maven" src="http://maven.apache.org/images/logos/maven-feather.png" />
</a>
</div>
</td>
<td class="content">
<div class="section">
<h2><a name="FileUpload_FAQ"></a><a name="top">FileUpload FAQ</a></h2>
<p><b>General</b></p>
<ol style="list-style-type: decimal">
<li><a href="#empty-parse">
Why is parseRequest() returning no items?
</a></li>
<li><a href="#read-timeout">
Why am I getting &quot;Read timed out&quot; exceptions while parsing?
</a></li>
<li><a href="#class-not-found">
Why is NoClassDefFoundError being thrown?
</a></li>
<li><a href="#whole-path-from-IE">
Why does FileItem.getName() return the whole path, and not just the file name?
</a></li></ol>
<p><b>FileUpload and Struts 1</b></p>
<ol style="list-style-type: decimal">
<li><a href="#parse-in-action-fails">
I'm using FileUpload in an Action, but it's not working. Why?
</a></li>
<li><a href="#howto-parse-in-action">
But I need to parse the request myself. How can I do that?
</a></li></ol>
<p><b>FileUpload and Flash</b></p>
<ol style="list-style-type: decimal">
<li><a href="#missing-boundary-terminator">
I'm using FileUpload to receive an upload from flash, but
FileUpload will always throw an Exception &quot;Stream ended unexpectedly&quot;.
What can I do?
</a></li></ol>
<p><b>FileUpload and Flash</b></p>
<ol style="list-style-type: decimal">
<li><a href="#diskfileitem-serializable"> I have read, that there is a security problem in Commons FileUpload, because there is a class called
DiskFileItem, which can be used for malicious attacks.
</a></li></ol></div>
<div class="section">
<h2><a name="General"></a>General</h2>
<dl>
<dt><a name="empty-parse">
Why is parseRequest() returning no items?
</a></dt>
<dd>
This most commonly happens when the request has already been parsed, or
processed in some other way. Since the input stream has aleady been
consumed by that earlier process, it is no longer available for parsing
by Commons FileUpload.
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="read-timeout">
Why am I getting &quot;Read timed out&quot; exceptions while parsing?
</a></dt>
<dd>
The most common cause of these exceptions is when FileUpload is being
used on a site that is using the Tomcat ISAPI redirector. There was a
bug in earlier versions of that component that caused problems with
multipart requests. The bug was fixed some time ago, so you probably
just need to pick up a newer version. See the
<a class="externalLink" href="http://issues.apache.org/bugzilla/show_bug.cgi?id=15278">Tomcat bug report</a>
for full details.
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="class-not-found">
Why is NoClassDefFoundError being thrown?
</a></dt>
<dd>
<p>There are two common causes for this error.</p>
<p>Firstly, it might simply mean that you do not have the Commons IO
jar in your classpath. FileUpload depends on IO (see
<a href="dependencies.html">dependencies</a>) - you can tell if
this is the case if the missing class is within the
<tt>org.apache.commons.io</tt> package.</p>
<p>Secondly this happens when attempting to rely on a shared copy of
the Commons FileUpload jar file provided by your web container. The
solution is to include the FileUpload jar file as part of your own
web application, instead of relying on the container. The same may
hold for FileUpload's IO dependency.</p>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="whole-path-from-IE">
Why does FileItem.getName() return the whole path, and not just the file name?
</a></dt>
<dd>
Internet Explorer provides the entire path to the uploaded file and not
just the base file name. Since FileUpload provides exactly what was
supplied by the client (browser), you may want to remove this path
information in your application. You can do that using the following
method from Commons IO (which you already have, since it is used by
FileUpload).
<div>
<pre>
String fileName = item.getName();
if (fileName != null) {
filename = FilenameUtils.getName(filename);
}
</pre></div>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="FileUpload_and_Struts_1"></a>FileUpload and Struts 1</h2>
<dl>
<dt><a name="parse-in-action-fails">
I'm using FileUpload in an Action, but it's not working. Why?
</a></dt>
<dd>
Struts 1 recognises multipart requests, and parses them automatically,
presenting the request parameters to your code in the same manner as
if they were regular request parameters. Since Struts has already
processed the request, and made it available in your form bean, the
input stream is no longer available for parsing, so attempting to do
so with FileUpload will fail.
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="howto-parse-in-action">
But I need to parse the request myself. How can I do that?
</a></dt>
<dd>
Struts 1 parses multipart a request as a part of the process of populating
your form bean from that request. If, for some reason, you need to have
full control over the multipart parsing, you can do so by configuring
your action mapping without an associated form bean. (A better way of
doing this, however, is to replace the default multipart handler with
your own. See the Struts 1 documentation for details.)
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="FileUpload_and_Flash"></a>FileUpload and Flash</h2>
<dl>
<dt><a name="missing-boundary-terminator">
I'm using FileUpload to receive an upload from flash, but
FileUpload will always throw an Exception &quot;Stream ended unexpectedly&quot;.
What can I do?
</a></dt>
<dd>
<p>
At least as of version 8, Flash contains a known bug: The multipart
stream it produces is broken, because the final boundary doesn't
contain the suffix &quot;--&quot;, which ought to indicate, that no more
items are following. Consequently, FileUpload waits for the next
item (which it doesn't get) and throws an exception.
</p>
<p>
The problems details and a possible workaround are outlined in
<a class="externalLink" href="http://issues.apache.org/jira/browse/FILEUPLOAD-143">
Bug 143
</a>
. The workaround suggests to use the streaming API
and catch the exception. The resulting code could look like
this:
</p>
<div>
<pre>final List&lt;FileItem&gt; items = new ArrayList&lt;FileItem&gt;();
HttpServletRequest servletRequest = [...];
RequestContext ctx = new ServletRequestContext(servletRequest);
FileItemFactory fileItemFactory = new DiskFileItemFactory();
ServletFileUpload upload = new ServletFileUpload();
FileItemIterator iter = upload.getItemIterator(ctx);
try {
while (iter.hasNext()) {
FileItemStream item = iter.next();
FileItem fileItem = fileItemFactory.createItem(item.getFieldName(),
item.getContentType(),
item.isFormField(),
item.getName());
Streams.copy(item.openStream(), fileItem.getOutputStream(), true);
items.add(fileItem);
}
} catch (MalformedStreamException e) {
// Ignore this
}</pre></div>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="FileUpload_and_Flash"></a>FileUpload and Flash</h2>
<dl>
<dt><a name="diskfileitem-serializable"> I have read, that there is a security problem in Commons FileUpload, because there is a class called
DiskFileItem, which can be used for malicious attacks.
</a></dt>
<dd>
<p>
It is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and
including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly
located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to
provide specially crafted data, which is being deserialized by a Java application, which has either of the
above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being
deserialized.
</p>
<p>
That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem
class, but the &quot;if&quot; in the previous sentence. A Java application should carefully consider, which classes
can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of
packages, and/or classes, which may, or may not be deserialized.
</p>
<p>
On the other hand, we acknowledge, that the likelyhood of application container vendors taking such a
simple security measure is extremely low. So, in order to support the Commons Fileupload users, we have
decided to choose a different approach:
</p>
<p>
Beginning with 1.3.3, the class DiskFileItem is still implementing the interface java.io.Serializable.
In other words, it still declares itself as serializable, and deserializable to the JVM. In practice,
however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely
case, that your application depends on the deserialization of DiskFileItems, you can revert to the
previous behaviour by setting the system property &quot;org.apache.commons.fileupload.disk.DiskFileItem.serializable&quot;
to &quot;true&quot;.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
</td>
</tr>
</table>
</div>
<div class="footer">
<p>Copyright &copy; 2002-2018
<a href="https://www.apache.org/">The Apache Software Foundation</a>.
All Rights Reserved.</p>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink