I have a Spring controller with /file mapping that gets a file name from user and stream file content to user
#RequestMapping(value = "/file" , method = RequestMethod.GET)
#ResponseBody
public void getFile(#RequestParam(value = "name", required = true) String fileName,
HttpServletResponse response)
{
String fileExtension = "";
int i = fileName.lastIndexOf('.');
if (i > 0) {
fileExtension = fileName.substring(i+1);
}
// file extension for requested file must be xls
if(!fileExtension.equals("xls"))
{
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return;
}
try {
Path path = Paths.get("/tmp/" + fileName);
byte[] data = Files.readAllBytes(path);
response.setHeader("Content-Disposition", "inline; filename=" + fileName);
response.setContentType("application/vnd.ms-excel");
response.setContentLength(data.length);
try {
ServletOutputStream outputStream = response.getOutputStream();
outputStream.write(data);
outputStream.flush();
} catch (Exception e) {
}
} catch (Exception e) {
}
}
User only can download file with .xls extension in tmp folder. the problem with this code is that user can change directory and download other .xls files in other directories. for example if there is a file in this path /tmp/tmp2/ab.xls user can download the file with calling this url http://myserver.mydomain:myport/mycontext/file?name=tmp2/ab.xls that is a security hole. what is the best way for checking name that I give from user is a file name? (not directory/filename or ../filename or another dangerous path )
Path tmpPath = Paths.get("/tmp/"); //valid directory
String fileName = "foo/bar.xls"; //supplied fileName
Path filePath = tmpPath.resolve(fileName); //add fileName to path
Path fileParent = filePath.getParent(); //get parent directory
System.out.println(fileParent);
System.out.println(tmpPath.equals(fileParent)); //false because fileParent is '/tmp/foo'
'tmpPath' will be equals 'fileParent' if you supply a valid fileName like 'bar.xls'.
I think you can also simplify the extension checking: filePath.endsWith(".xls"); should be enough. And don't concatenate file paths ("/tmp/" + fileName). Paths.get("/tmp", fileName) will do that for you.
Related
Can a java.nio.file.FileSystem be created for a zip file that's inside a zip file?
If so, what does the URI look like?
If not, I'm presuming I'll have to fall back to using ZipInputStream.
I'm trying to recurse into the method below. Current implementation creates a URI "jar:jar:...". I know that's wrong (and a potentially traumatic reminder of a movie character). What should it be?
private static void traverseZip(Path zipFile ) {
// Example: URI uri = URI.create("jar:file:/codeSamples/zipfs/zipfstest.zip");
String sURI = "jar:" + zipFile.toUri().toString();
URI uri = URI.create(sURI);
Map<String, String> env = new HashMap<>();
try (FileSystem fs = FileSystems.newFileSystem(uri, env)) {
Iterable<Path> rootDirs = fs.getRootDirectories();
for (Path rootDir : rootDirs) {
traverseDirectory(rootDir ); // Recurses back into this method for ZIP files
}
} catch (IOException e) {
System.err.println(e);
}
}
You can use FileSystem.getPath to return a Path suitable for use with another FileSystems.newFileSystem call which opens the nested ZIP/archive.
For example this code opens a war file and reads the contents of the inner jar file:
Path war = Path.of("webapps.war");
String pathInWar = "WEB-INF/lib/some.jar";
try (FileSystem fs = FileSystems.newFileSystem(war)) {
Path jar = fs.getPath(pathInWar);
try (FileSystem inner = FileSystems.newFileSystem(jar)) {
for (Path root : inner.getRootDirectories()) {
try (Stream<Path> stream = Files.find(root, Integer.MAX_VALUE, (p,a) -> true)) {
stream.forEach(System.out::println);
}
}
}
}
Note also that you code can pass in zipFile without changing to URI:
try (FileSystem fs = FileSystems.newFileSystem(zipFile, env)) {
I have an application which is an API on a server (say 192.168.0.2), to which files (of any format) can be uploaded or from which they can be downloaded.
If an application on another machine on the network (say 192.196.0.3) wants to upload a file to the API, it passes the information in a JSON Object e.g. { "FILE_LOCATION":"file:/192.168.0.3/c:/testDocs/testFile.docx" }
The code in the api goes roughly:
private static void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
String errorMessage = "";
try
{
String src = request.getParameter ("src");
Object obj = jsonParser.parse (src);
JSONObject jsonObj = (JSONObject) obj;
String fileLocation = (String) jsonObj.get ("FILE_LOCATION");
URI uri = new URI (fileLocation);
URL url = uri.toURL (); // get URL from your uri object
URLConnection urlConnection = url.openConnection ();
InputStream is = urlConnection.getInputStream ();
System.out.println ("InputStream = " + is);
if (is != null)
{
// create output file, output stream etc
}
}
catch (Exception e)
{
errorMessage = e.getMessage ();
System.out.println (e.getClass().getName () + " : " + errorMessage);
}
PrintWriter pw = response.getWriter ();
pw.append (errorMessage);
}
The system log invariably shows something like:
"java.io.FileNotFoundException : 192.168.0.3/c:/testDocs/testFile.docx (No such file or directory)"
What am I doing wrong? I am convinced that the fault lies in the way I have constructed the String which will be used to create the URI.
That does not look like a valid file: URL. On Windows you could try to check if a file is accessible from a remote server if dir works in CMD.EXE. For example, try UNC pathname:
dir \\IP_OR_HOSTNAME\NAMEOFSHARE\path\etc\filename.xyz
If that works - and that rather depends on whether the remote server is serving that filesystem as NAMEOFSHARE - then the equivalent file: encoding of above would be:
String u = new File("\\\\IP_OR_HOSTNAME\\NAMEOFSHARE\\path\\etc\\filename.xyz").toURL().toString();
==> "file://IP_OR_HOSTNAME/NAMEOFSHARE/path/etc/filename.xyz"
I have Web Application hosted on Linux, contains page to upload .rar file and another page to download it. for upload function working fine and file uploaded successfully to server but for download it gives me below exception:
[servelt.scriptdownloadservelt] in context with path [/OSS-CPE-Tracker] threw exception
java.io.FileNotFoundException: \usr\local\apache-tomcat-8.5.31\OSS-CPE-Tracker\Zaky\QCAM.rar (No such file or directory)
I used below funcation to make upload:
String destDir = "/usr/local/apache-tomcat-8.5.31/OSS-CPE-Tracker/Zaky";
for (FileItem item : multiparts) {
if (!item.isFormField()) {
String name = new File(item.getName()).getName();
if(name.equalsIgnoreCase("QCAM.rar")) {
File destFile = new File(destDir, "QCAM.rar");
if (destFile.exists()) {
destFile.delete();
}
item.write(new File("/usr/local/apache-tomcat-8.5.31/OSS-CPE-Tracker/Zaky" + File.separator + name));
request.setAttribute("gurumessage", "File Uploaded Successfully");
}else {
request.setAttribute("gurumessage", "Kindly use the agreed name");
}
and here function for download that i face issue on it and above exception appear:
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String gurufile = "QCAM.rar\\";
String gurupath = "\\usr\\local\\apache-tomcat-8.5.31\\OSS-CPE-Tracker\\Zaky";
response.setContentType("APPLICATION/OCTET-STREAM");
response.setHeader("Content-Disposition", "attachment; filename=\""
+ gurufile + "\"");
FileInputStream fileInputStream = new FileInputStream(gurupath
+ gurufile);
int i;
while ((i = fileInputStream.read()) != -1) {
out.write(i);
}
fileInputStream.close();
out.close();
The only reason for this error is that file cannot be found under that path.
Please verify the path
String gurufile = "QCAM.rar\\";
String gurupath = "\\usr\\local\\apache-tomcat-8.5.31\\OSS-CPE-Tracker\\Zaky";
// <...>
FileInputStream fileInputStream = new FileInputStream(gurupath
+ gurufile);
In unix systems file path is resolved using forward slash / and not a backslash \.
Try changing to the same value as your upload script:
FileInputStream fileInputStream = new FileInputStream("/usr/local/apache-tomcat-8.5.31/OSS-CPE-Tracker/Zaky/QCAM.rar")
That should do
I am using the below method to download the file from server now for few files with extensions (".png",".txt",".pdf") the files are downloading correctly but where as for (".exe") the file is downloading as f.txt may i know what's wrong with this code.For .exe files the content is being written to a "f.txt" file . I am also usoing Files.probeContentType(file.toPath()); to determine the media type and setting it in content type of respnse entity.Thanks in advance! :).
the media type where extension changing is application/x-msdownload
public ResponseEntity<InputStreamResource> getFileFromDisk(String filename) throws IOException {
ResponseEntity<InputStreamResource> filedata = null;
String file_path = "/e:/filesfolder/" + filename;
String fileType = "Undetermined";
final File file = new File(file_path);
fileType = Files.probeContentType(file.toPath());
System.out.println(fileType);
InputStreamResource resource = new InputStreamResource(new FileInputStream(file_path));
String file_checksum = checksumcalc.calculateChecksum(file_path);
filedata = ResponseEntity.ok().header("Md5", file_checksum)
.contentType(MediaType.parseMediaType(fileType)).body(resource);
return filedata;
}
To avoid the f.txt issue, you have to define the Content-disposition header to specify the filename of the attachment.
For example :
filedata = ResponseEntity.ok()
.header("Content-disposition", "attachment; filename=" + fileName)
.header("Md5", file_checksum)
.contentType(MediaType.parseMediaType(fileType)).body(resource);
I am hosting a website on Tomcat server. The application uses Struts 1.1 and Spring for all its operations. I have a page that is used for uploading files to the server.
When user uploads any file it is successfully uploaded but gives a 404 error when tried to retrieve. I checked the file using SSH login, the uploaded file is present in that location. I am scratching my head over this problem from past 4 days but no solution. Its works properly without any problems in my local machine. The problem in there in the deployment.
An Important note: From SSH login, If i try to move that file to some other location and then place it back to its original location, i am able to retrieve the file..!!! I don't know why but I can't do this for every file uploaded by the user. So i modified the my code so that the file is uploaded to a temp location first and then moving it to the correct location. But even this is not working.
FileOutputStream outputStream = null;
FormFile formFile = null;
String tempFilePath = getServlet().getServletContext()
.getRealPath("/")
+ "uploads"
+ System.getProperty("file.separator") + "temp";
try
{
formFile = uploadForm.getFile();
boolean errorflag = false;
if(formFile.getFileSize() > 10660000)
{
request.setAttribute("error",
"File size cannot exceed 10MB!");
errorflag = true;
}
else
{
errorflag = validateFileUpload(request,
formFile, errorflag);
}
if(errorflag)
{
return gotoKnowledgeSharingPage(mapping,
request, actionHelper, session, userid,
instid);
}
File folder = new File(tempFilePath);
if(!folder.exists())
{
folder.mkdir();
}
outputStream = new FileOutputStream(new File(
tempFilePath, formFile.getFileName()));
outputStream.write(formFile.getFileData());
}
finally
{
if(outputStream != null)
{
outputStream.flush();
outputStream.close();
}
}
String finalFilePath = getServlet().getServletContext()
.getRealPath("/")
+ "uploads"
+ System.getProperty("file.separator")
+ session.getAttribute("userid");
//+ System.getProperty("file.separator")
// + formFile.getFileName();
File oldPath = new File(tempFilePath
+ System.getProperty("file.separator")
+ formFile.getFileName());
// Move file to new directory
File newPath = new File(finalFilePath);
if(!newPath.exists())
{
newPath.mkdir();
}
boolean success = oldPath.renameTo(new File(
finalFilePath, formFile.getFileName()));
if(success)
{
actionHelper.insertIntoUploadTable(userid,
knowledgeForm, formFile.getFileName());
}
else
{
if(oldPath.exists())
{
oldPath.delete();
}
}