diff --git a/NOTICE.txt b/NOTICE.txt index b72a5176ade817a56035518a84ed5794f2effc6e..5038a44c89ef5f5835330e34886a45583d87c370 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Apache Commons FileUpload -Copyright 2002-2016 The Apache Software Foundation +Copyright 2002-2017 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index bc33acb933b13eb617f5b4838892a0db5d20bf30..ac7e3c164309e00729dc5363a659183ab7d51dfc 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -1,16 +1,16 @@ - Apache Commons FileUpload 1.3.2 RELEASE NOTES + Apache Commons FileUpload 1.3.3 RELEASE NOTES -The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.2. +The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. -No client code changes are required to migrate from version 1.3.1 to 1.3.2. +No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3 -Changes in version 1.3.2 include: +Changes in version 1.3.3 include: -o FILEUPLOAD-272: Performance Improvement in MultipartStream +o FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set. For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, diff --git a/pom.xml b/pom.xml index 12ccb014bf2659067b9ee56882926ce6d9afbbc3..154f19c92221f03aa8134c75745f9c6dcc32745d 100644 --- a/pom.xml +++ b/pom.xml @@ -21,12 +21,12 @@ <parent> <groupId>org.apache.commons</groupId> <artifactId>commons-parent</artifactId> - <version>40</version> + <version>41</version> </parent> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> - <version>1.3.2</version> + <version>1.3.3</version> <name>Apache Commons FileUpload</name> <description> @@ -97,6 +97,12 @@ <email>ggregory@apache.org</email> <organization /> </developer> + <developer> + <name>Rob Tompkins</name> + <id>chtompki</id> + <email>chtompki@apache.org</email> + <organization /> + </developer> </developers> <contributors> @@ -167,9 +173,10 @@ </contributors> <scm> - <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2</connection> - <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2</developerConnection> - <url>http://svn.apache.org/viewvc/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2</url> + <connection>scm:git:http://git-wip-us.apache.org/repos/asf/commons-fileupload.git</connection> + <developerConnection>scm:git:https://git-wip-us.apache.org/repos/asf/commons-fileupload.git</developerConnection> + <url>https://git-wip-us.apache.org/repos/asf?p=commons-fileupload.git</url> + <tag>commons-fileupload-1.3.3-RC6</tag> </scm> <issueManagement> <system>jira</system> @@ -181,13 +188,14 @@ <maven.compiler.target>1.5</maven.compiler.target> <maven.compile.encoding>ISO-8859-1</maven.compile.encoding> <commons.componentid>fileupload</commons.componentid> - <commons.release.version>1.3.2</commons.release.version> + <commons.release.version>1.3.3</commons.release.version> <commons.rc.version>RC1</commons.rc.version> <commons.jira.id>FILEUPLOAD</commons.jira.id> <commons.jira.pid>12310476</commons.jira.pid> <commons.osgi.export>!org.apache.commons.fileupload.util.mime,org.apache.commons.*;version=${project.version};-noimport:=true</commons.osgi.export> <commons.osgi.import>!javax.portlet,*</commons.osgi.import> <commons.osgi.dynamicImport>javax.portlet</commons.osgi.dynamicImport> + <project.scm.id>git-wip-us.apache.org</project.scm.id> </properties> <dependencies> @@ -232,12 +240,19 @@ <artifactId>maven-release-plugin</artifactId> <configuration> <preparationGoals>clean site verify</preparationGoals> - <goals>deploy</goals> + <goals>clean site deploy</goals> </configuration> </plugin> </plugins> <pluginManagement> <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-release-plugin</artifactId> + <configuration> + <tagBase>https://svn.apache.org/repos/asf/commons/proper/fileupload/tags</tagBase> + </configuration> + </plugin> <!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.--> <plugin> <groupId>org.eclipse.m2e</groupId> @@ -320,5 +335,4 @@ </plugin> </plugins> </reporting> - </project> diff --git a/src/changes/changes.xml b/src/changes/changes.xml index bc1b9216021cfbccd6f45308cfc7078a638b1b4c..73f26132ae3f264beee0c5b6068a2622b1f90c33 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -43,7 +43,13 @@ The <action> type attribute can be add,update,fix,remove. </properties> <body> - <release version="1.3.2" description="Bugfix release for 1.3.1" date="tba"> + <release version="1.3.3" description="Bugfix release for 1.3.2" date="tba"> + <action issue="FILEUPLOAD-279" dev="jochen" type="fix"> + DiskDileItem can actually no longer be deserialized, unless a system property is set to true. + </action> + </release> + + <release version="1.3.2" description="Bugfix release for 1.3.1" date="2016.05-26"> <action issue="FILEUPLOAD-272" dev="jochen" type="update"> Performance Improvement in MultipartStream </action> diff --git a/src/changes/release-notes.vm b/src/changes/release-notes.vm index ddcbff70cbe7f8a0f72474fd48cb16d114be8c2c..5b2f54710965beeff83f5b20e68eea9683a4b363 100644 --- a/src/changes/release-notes.vm +++ b/src/changes/release-notes.vm @@ -22,7 +22,7 @@ The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. -No client code changes are required to migrate from version 1.3.0 to 1.3.1. +No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2 to 1.3.3. ## N.B. the available variables are described here: diff --git a/src/main/assembly/bin.xml b/src/main/assembly/bin.xml index d536d6ee90e8c55cb5c1fffa7b6d45c0e7f2be16..353e51aa84d7ea98a2ee54c950b9f3fb041c17f1 100644 --- a/src/main/assembly/bin.xml +++ b/src/main/assembly/bin.xml @@ -30,14 +30,19 @@ <includes> <include>LICENSE.txt</include> <include>NOTICE.txt</include> + <include>RELEASE-NOTES.txt</include> </includes> </fileSet> <fileSet> - <directory>${project.build.directory}</directory> - <outputDirectory>lib</outputDirectory> + <directory>target</directory> + <outputDirectory></outputDirectory> <includes> - <include>${project.build.finalName}.jar</include> + <include>*.jar</include> </includes> </fileSet> + <fileSet> + <directory>target/site/apidocs</directory> + <outputDirectory>apidocs</outputDirectory> + </fileSet> </fileSets> </assembly> diff --git a/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java b/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java index 0265dd9e6db18738d39ecb658035cd172e3cab07..c5e4c8ca989035e64fc13a208f4d5d5ce765a014 100644 --- a/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java +++ b/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java @@ -32,7 +32,7 @@ import org.apache.commons.fileupload.disk.DiskFileItem; * {@link #getInputStream()} and process the file without attempting to load * it into memory, which may come handy with large files. * - * @version $Id: DefaultFileItem.java 1454690 2013-03-09 12:08:48Z simonetripodi $ + * @version $Id$ * * @deprecated 1.1 Use <code>DiskFileItem</code> instead. */ diff --git a/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java b/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java index ea3806282e5793672a66bff947dcd969e07addd4..6fecb37c1bed323d6d0e1f68aa4b8266ad0eeb1b 100644 --- a/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java +++ b/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java @@ -36,7 +36,7 @@ import org.apache.commons.fileupload.disk.DiskFileItemFactory; * <code>System.getProperty("java.io.tmpdir")</code>.</li> * </ul> * - * @version $Id: DefaultFileItemFactory.java 1743630 2016-05-13 09:20:45Z jochen $ + * @version $Id$ * * @deprecated 1.1 Use <code>DiskFileItemFactory</code> instead. */ diff --git a/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java b/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java index 97f3c9bf7f36f969ad8d689e047aa17149fc3ef1..3b4c212017da71daebef2bfafd1ab5cdaa5bc189 100644 --- a/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java +++ b/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java @@ -34,7 +34,7 @@ import javax.servlet.http.HttpServletRequest; * depending on their size, and will be available as {@link * org.apache.commons.fileupload.FileItem}s.</p> * - * @version $Id: DiskFileUpload.java 1454690 2013-03-09 12:08:48Z simonetripodi $ + * @version $Id$ * * @deprecated 1.1 Use <code>ServletFileUpload</code> together with * <code>DiskFileItemFactory</code> instead. diff --git a/src/main/java/org/apache/commons/fileupload/FileItem.java b/src/main/java/org/apache/commons/fileupload/FileItem.java index d1b5c18cd07213094c91228e925c30fb98e7d738..484719f2e24f4aa866e15ab3ab300819f8956fae 100644 --- a/src/main/java/org/apache/commons/fileupload/FileItem.java +++ b/src/main/java/org/apache/commons/fileupload/FileItem.java @@ -43,7 +43,7 @@ import java.io.UnsupportedEncodingException; * implementation of this interface to also implement * <code>javax.activation.DataSource</code> with minimal additional work. * - * @version $Id: FileItem.java 1454690 2013-03-09 12:08:48Z simonetripodi $ + * @version $Id$ * @since 1.3 additionally implements FileItemHeadersSupport */ public interface FileItem extends Serializable, FileItemHeadersSupport { diff --git a/src/main/java/org/apache/commons/fileupload/FileItemFactory.java b/src/main/java/org/apache/commons/fileupload/FileItemFactory.java index 1e60b1847d2349465a7a20a2654440808ff23145..a576a331c588976adaa9f5519bbdb33eb2c8797d 100644 --- a/src/main/java/org/apache/commons/fileupload/FileItemFactory.java +++ b/src/main/java/org/apache/commons/fileupload/FileItemFactory.java @@ -21,7 +21,7 @@ package org.apache.commons.fileupload; * can provide their own custom configuration, over and above that provided * by the default file upload implementation.</p> * - * @version $Id: FileItemFactory.java 1454690 2013-03-09 12:08:48Z simonetripodi $ + * @version $Id$ */ public interface FileItemFactory { diff --git a/src/main/java/org/apache/commons/fileupload/FileItemIterator.java b/src/main/java/org/apache/commons/fileupload/FileItemIterator.java index 6c71cad4ff8c467fd6401a827e183e59f8208bc4..6c4e6287b718ebedf7db8641568467a1fbba9b2f 100644 --- a/src/main/java/org/apache/commons/fileupload/FileItemIterator.java +++ b/src/main/java/org/apache/commons/fileupload/FileItemIterator.java @@ -22,7 +22,7 @@ import java.io.IOException; * An iterator, as returned by * {@link FileUploadBase#getItemIterator(RequestContext)}. * - * @version $Id: FileItemIterator.java 1454691 2013-03-09 12:15:54Z simonetripodi $ + * @version $Id$ */ public interface FileItemIterator { diff --git a/src/main/java/org/apache/commons/fileupload/FileItemStream.java b/src/main/java/org/apache/commons/fileupload/FileItemStream.java index ef49b60e6b350c50c90fa81ae3e5c81aa9ba1fa9..fbb4abcbca005d23caf281b2a36c7bdc38886382 100644 --- a/src/main/java/org/apache/commons/fileupload/FileItemStream.java +++ b/src/main/java/org/apache/commons/fileupload/FileItemStream.java @@ -31,7 +31,7 @@ import java.io.InputStream; * {@link java.util.Iterator#hasNext()} on the iterator, you discard all data, * which hasn't been read so far from the previous data.</p> * - * @version $Id: FileItemStream.java 1454691 2013-03-09 12:15:54Z simonetripodi $ + * @version $Id$ */ public interface FileItemStream extends FileItemHeadersSupport { diff --git a/src/main/java/org/apache/commons/fileupload/FileUpload.java b/src/main/java/org/apache/commons/fileupload/FileUpload.java index 7eb19ed41fb956029f8c1531cbdc6d10a56a85dd..d70cef552a2d0528e50b3e1b34630fab19c211fd 100644 --- a/src/main/java/org/apache/commons/fileupload/FileUpload.java +++ b/src/main/java/org/apache/commons/fileupload/FileUpload.java @@ -30,7 +30,7 @@ package org.apache.commons.fileupload; * used to create them; a given part may be in memory, on disk, or somewhere * else.</p> * - * @version $Id: FileUpload.java 1454690 2013-03-09 12:08:48Z simonetripodi $ + * @version $Id$ */ public class FileUpload extends FileUploadBase { diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java index 6f2cdd64f7cd8b03de205cc1d3676e5ce8ed9e89..b567bd93e2290ca7b14d7768edee3968d19f18b5 100644 --- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java +++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java @@ -53,7 +53,7 @@ import org.apache.commons.fileupload.util.Streams; * used to create them; a given part may be in memory, on disk, or somewhere * else.</p> * - * @version $Id: FileUploadBase.java 1743630 2016-05-13 09:20:45Z jochen $ + * @version $Id$ */ public abstract class FileUploadBase { diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadException.java b/src/main/java/org/apache/commons/fileupload/FileUploadException.java index 799b43c41d6750850e4d09ade9fe8b4f20691b76..1c66cb8ab2668527caa75ba97e664203f2ea4063 100644 --- a/src/main/java/org/apache/commons/fileupload/FileUploadException.java +++ b/src/main/java/org/apache/commons/fileupload/FileUploadException.java @@ -22,7 +22,7 @@ import java.io.PrintWriter; /** * Exception for errors encountered while processing the request. * - * @version $Id: FileUploadException.java 1454690 2013-03-09 12:08:48Z simonetripodi $ + * @version $Id$ */ public class FileUploadException extends Exception { diff --git a/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java b/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java index 6b930ece13c8ce7038183b0b4c9e7aaf9d1ca1d2..e58f6e8db1d16822e000884598577900a1f8e333 100644 --- a/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java +++ b/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java @@ -26,7 +26,7 @@ package org.apache.commons.fileupload; * C library, it might create a file named "foo.exe", as the NUL * character is the string terminator in C. * - * @version $Id: InvalidFileNameException.java 1454691 2013-03-09 12:15:54Z simonetripodi $ + * @version $Id$ */ public class InvalidFileNameException extends RuntimeException { diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java index 7007c7b7f5f0fb2692e3bba82864ca20d74dbdf2..045dac35c45c483530794838ed81ce5025f1602e 100644 --- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java +++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java @@ -81,7 +81,7 @@ import org.apache.commons.fileupload.util.Streams; * } * </pre> * - * @version $Id: MultipartStream.java 1745065 2016-05-22 14:56:37Z britter $ + * @version $Id$ */ public class MultipartStream { diff --git a/src/main/java/org/apache/commons/fileupload/ParameterParser.java b/src/main/java/org/apache/commons/fileupload/ParameterParser.java index 892684cc76b30ca5a3b616f64fc34c9f99476fbd..3db521a141d92dcc6c78b9603a0c707cf10dd61b 100644 --- a/src/main/java/org/apache/commons/fileupload/ParameterParser.java +++ b/src/main/java/org/apache/commons/fileupload/ParameterParser.java @@ -34,7 +34,7 @@ import org.apache.commons.fileupload.util.mime.MimeUtility; * <code>param1 = value; param2 = "anything goes; really"; param3</code> * </p> * - * @version $Id: ParameterParser.java 1565253 2014-02-06 13:48:16Z ggregory $ + * @version $Id$ */ public class ParameterParser { diff --git a/src/main/java/org/apache/commons/fileupload/ProgressListener.java b/src/main/java/org/apache/commons/fileupload/ProgressListener.java index e65e3620dfadc38c1153bed3621d736696d93478..30d72095f3dc0e197bc458b3995ec0f9761019f6 100644 --- a/src/main/java/org/apache/commons/fileupload/ProgressListener.java +++ b/src/main/java/org/apache/commons/fileupload/ProgressListener.java @@ -20,7 +20,7 @@ package org.apache.commons.fileupload; * The {@link ProgressListener} may be used to display a progress bar * or do stuff like that. * - * @version $Id: ProgressListener.java 1454691 2013-03-09 12:15:54Z simonetripodi $ + * @version $Id$ */ public interface ProgressListener { diff --git a/src/main/java/org/apache/commons/fileupload/RequestContext.java b/src/main/java/org/apache/commons/fileupload/RequestContext.java index 5812f6197812e7bfae68a7b0e3d7b456756fa396..bd2b83c38bce8cc7ed2945a0bc5090177476c324 100644 --- a/src/main/java/org/apache/commons/fileupload/RequestContext.java +++ b/src/main/java/org/apache/commons/fileupload/RequestContext.java @@ -26,7 +26,7 @@ import java.io.IOException; * * @since FileUpload 1.1 * - * @version $Id: RequestContext.java 1455861 2013-03-13 10:12:09Z simonetripodi $ + * @version $Id$ */ public interface RequestContext { diff --git a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java index 550a7ed1a0bea1b0ff039a5b85789e15fed9df67..00eda9533ece18b29b74df95ac4b886b599c3c35 100644 --- a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java +++ b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java @@ -71,11 +71,17 @@ import org.apache.commons.io.output.DeferredFileOutputStream; * * @since FileUpload 1.1 * - * @version $Id: DiskFileItem.java 1565192 2014-02-06 12:14:16Z markt $ + * @version $Id$ */ public class DiskFileItem implements FileItem { + /** + * Although it implements {@link java.io.Serializable}, a DiskFileItem can actually only be deserialized, + * if this System property is true. + */ + public static final String SERIALIZABLE_PROPERTY = DiskFileItem.class.getName() + ".serializable"; + // ----------------------------------------------------- Manifest constants /** @@ -654,6 +660,10 @@ public class DiskFileItem */ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { + if (!Boolean.getBoolean(SERIALIZABLE_PROPERTY)) { + throw new IllegalStateException("Property " + SERIALIZABLE_PROPERTY + + " is not true, rejecting to deserialize a DiskFileItem."); + } // read values in.defaultReadObject(); diff --git a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java index 7334338063eb3f74b5aef356bac201134ef359af..7f31ff7a47ef22e0a04c6623e0972ec8008221c9 100644 --- a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java +++ b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java @@ -67,7 +67,7 @@ import org.apache.commons.io.FileCleaningTracker; * * @since FileUpload 1.1 * - * @version $Id: DiskFileItemFactory.java 1564788 2014-02-05 14:36:41Z markt $ + * @version $Id$ */ public class DiskFileItemFactory implements FileItemFactory { diff --git a/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java b/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java index 2c1455d35b8e8b5b28dffb96d0a99823137cf8b1..3564f3fa390aed001481d0a5ecea0d55784c30eb 100644 --- a/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java +++ b/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java @@ -46,7 +46,7 @@ import org.apache.commons.fileupload.FileUploadException; * * @since FileUpload 1.1 * - * @version $Id: PortletFileUpload.java 1455537 2013-03-12 14:06:11Z simonetripodi $ + * @version $Id$ */ public class PortletFileUpload extends FileUpload { diff --git a/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java b/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java index c2b5d61a5934842041f3483b765d9635974736d4..66a2e5c10410200cc7dceed9e97e68294304a8cc 100644 --- a/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java +++ b/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java @@ -32,7 +32,7 @@ import org.apache.commons.fileupload.UploadContext; * * @since FileUpload 1.1 * - * @version $Id: PortletRequestContext.java 1564788 2014-02-05 14:36:41Z markt $ + * @version $Id$ */ public class PortletRequestContext implements UploadContext { diff --git a/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java b/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java index 8e6cbd07bb1272747134dd16f6644fc6b87dd56c..e0aa5e1e819a5c8ee8d702b1a2ffc52dd5294355 100644 --- a/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java +++ b/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java @@ -27,7 +27,7 @@ import org.apache.commons.io.FileCleaningTracker; * {@link FileCleaningTracker}'s reaper thread is terminated, * when the web application is destroyed. * - * @version $Id: FileCleanerCleanup.java 1564788 2014-02-05 14:36:41Z markt $ + * @version $Id$ */ public class FileCleanerCleanup implements ServletContextListener { diff --git a/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java b/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java index 2ea1fd7471bb9de72302302db770587f513a3837..a7beb6311c061891eb15b3329604c36fe0ad753d 100644 --- a/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java +++ b/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java @@ -43,7 +43,7 @@ import org.apache.commons.fileupload.FileUploadException; * used to create them; a given part may be in memory, on disk, or somewhere * else.</p> * - * @version $Id: ServletFileUpload.java 1455949 2013-03-13 14:14:44Z simonetripodi $ + * @version $Id$ */ public class ServletFileUpload extends FileUpload { diff --git a/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java b/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java index 622dc5e3db150614f9a3321936d397ce6e319191..4b938469764deae70ad4ea425c4c6b9c45261422 100644 --- a/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java +++ b/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java @@ -32,7 +32,7 @@ import org.apache.commons.fileupload.UploadContext; * * @since FileUpload 1.1 * - * @version $Id: ServletRequestContext.java 1564788 2014-02-05 14:36:41Z markt $ + * @version $Id$ */ public class ServletRequestContext implements UploadContext { diff --git a/src/main/java/org/apache/commons/fileupload/util/Closeable.java b/src/main/java/org/apache/commons/fileupload/util/Closeable.java index ae5da9c625e699d81c968923d4366ab164d79ccd..dcef1ca0bbaf9e05080c2c3835237dab9ab97ad8 100644 --- a/src/main/java/org/apache/commons/fileupload/util/Closeable.java +++ b/src/main/java/org/apache/commons/fileupload/util/Closeable.java @@ -21,7 +21,7 @@ import java.io.IOException; /** * Interface of an object, which may be closed. * - * @version $Id: Closeable.java 1454691 2013-03-09 12:15:54Z simonetripodi $ + * @version $Id$ */ public interface Closeable { diff --git a/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java b/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java index d1bc97c4ff0a193c15e0b21e1cbe85d89a85d5a9..c593b9dd666bd6275db7a88c6f8f692423af4ea9 100644 --- a/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java +++ b/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java @@ -32,7 +32,7 @@ import org.apache.commons.fileupload.FileItemHeaders; * * @since 1.2.1 * - * @version $Id: FileItemHeadersImpl.java 1458379 2013-03-19 16:16:47Z britter $ + * @version $Id$ */ public class FileItemHeadersImpl implements FileItemHeaders, Serializable { diff --git a/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java b/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java index b2a76dc902c73b2fe4f886e5b05c7b82a931b173..002d7da5fb621d0bdf488457c0cee41f80c5833d 100644 --- a/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java +++ b/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java @@ -24,7 +24,7 @@ import java.io.InputStream; * An input stream, which limits its data size. This stream is * used, if the content length is unknown. * - * @version $Id: LimitedInputStream.java 1565292 2014-02-06 14:51:59Z ggregory $ + * @version $Id$ */ public abstract class LimitedInputStream extends FilterInputStream implements Closeable { diff --git a/src/main/java/org/apache/commons/fileupload/util/Streams.java b/src/main/java/org/apache/commons/fileupload/util/Streams.java index eafd2d08e1a6b1f2bfaae9b660eb3d03cff53856..9e9d58b15b98db77edced30ce6d3f6f39b7acbf8 100644 --- a/src/main/java/org/apache/commons/fileupload/util/Streams.java +++ b/src/main/java/org/apache/commons/fileupload/util/Streams.java @@ -27,7 +27,7 @@ import org.apache.commons.io.IOUtils; /** * Utility class for working with streams. * - * @version $Id: Streams.java 1565332 2014-02-06 16:42:19Z ggregory $ + * @version $Id$ */ public final class Streams { diff --git a/src/site/fml/faq.fml b/src/site/fml/faq.fml index 15bfc76536141bfb62a8bee90897e4532df80578..44ed791004b24bdc941d6954ef44ecd698cc6b7b 100644 --- a/src/site/fml/faq.fml +++ b/src/site/fml/faq.fml @@ -174,4 +174,42 @@ try { </faq> </part> + <part id="security"> + <title>FileUpload and Flash</title> + + <faq id="diskfileitem-serializable"> + <question> I have read, that there is a security problem in Commons FileUpload, because there is a class called + DiskFileItem, which can be used for malicious attacks. + </question> + <answer> + <p> + It is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and + including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly + located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to + provide specially crafted data, which is being deserialized by a Java application, which has either of the + above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being + deserialized. + </p> + <p> + That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem + class, but the "if" in the previous sentence. A Java application should carefully consider, which classes + can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of + packages, and/or classes, which may, or may not be deserialized. + </p> + <p> + On the other hand, we acknowledge, that the likelyhood of application container vendors taking such a + simple security measure is extremely low. So, in order to support the Commons Fileupload users, we have + decided to choose a different approach: + </p> + <p> + Beginning with 1.3.3, the class DiskFileItem is still implementing the interface java.io.Serializable. + In other words, it still declares itself as serializable, and deserializable to the JVM. In practice, + however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely + case, that your application depends on the deserialization of DiskFileItems, you can revert to the + previous behaviour by setting the system property "org.apache.commons.fileupload.disk.DiskFileItem.serializable" + to "true". + </p> + </answer> + </faq> + </part> </faqs> diff --git a/src/site/xdoc/download_fileupload.xml b/src/site/xdoc/download_fileupload.xml index ae4a5e6b38818b45d214d17246672e95b0bbe7f2..ec57a1f1dc87db218dd99328c0ec176b609fc86b 100644 --- a/src/site/xdoc/download_fileupload.xml +++ b/src/site/xdoc/download_fileupload.xml @@ -111,32 +111,32 @@ limitations under the License. </p> </subsection> </section> - <section name="Apache Commons FileUpload 1.3.2 "> + <section name="Apache Commons FileUpload 1.3.3 "> <subsection name="Binaries"> <table> <tr> - <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz">commons-fileupload-1.3.2-bin.tar.gz</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.md5">md5</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz">commons-fileupload-1.3.3-bin.tar.gz</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.md5">md5</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.asc">pgp</a></td> </tr> <tr> - <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip">commons-fileupload-1.3.2-bin.zip</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.md5">md5</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip">commons-fileupload-1.3.3-bin.zip</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.md5">md5</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.asc">pgp</a></td> </tr> </table> </subsection> <subsection name="Source"> <table> <tr> - <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz">commons-fileupload-1.3.2-src.tar.gz</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.md5">md5</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz">commons-fileupload-1.3.3-src.tar.gz</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.md5">md5</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.asc">pgp</a></td> </tr> <tr> - <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.2-src.zip">commons-fileupload-1.3.2-src.zip</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.md5">md5</a></td> - <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.3-src.zip">commons-fileupload-1.3.3-src.zip</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.md5">md5</a></td> + <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.asc">pgp</a></td> </tr> </table> </subsection> diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml index 1a99d22ebce9cf54fee5638a8f937ff2fe23fab8..c9c014802632d9471b24ba679550e7fb6cb33ff8 100644 --- a/src/site/xdoc/index.xml +++ b/src/site/xdoc/index.xml @@ -67,16 +67,28 @@ <section name="Downloading"> <subsection name="Full Releases"> - <p><strong>FileUpload 1.3</strong> - 27 March 2013</p> + <p><strong>FileUpload 1.3.2</strong> - 26 May 2016</p> <ul> <li>Download the binary and source distributions from a mirror site <a href="http://commons.apache.org/fileupload/download_fileupload.cgi">here</a> </li> </ul> + <p><strong>FileUpload 1.3.1</strong> - 7 February 2014</p> + <ul> + <li>Download the binary and source distributions from the archive site + <a href="http://archive.apache.org/dist/commons/fileupload/">here</a> + </li> + </ul> + <p><strong>FileUpload 1.3</strong> - 27 March 2013</p> + <ul> + <li>Download the binary and source distributions from a mirror site + <a href="http://archive.apache.org/dist/commons/fileupload/">here</a> + </li> + </ul> <p><strong>FileUpload 1.2.2</strong> - 29 July 2010</p> <ul> <li>Download the binary and source distributions from a mirror site - <a href="http://commons.apache.org/fileupload/download_fileupload.cgi">here</a> + <a href="http://archive.apache.org/dist/commons/fileupload/">here</a> </li> </ul> <p><strong>FileUpload 1.2.1</strong> - 18 January 2008</p> diff --git a/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java b/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java index 7bacf5012efec766d2bd4c47df031857788d87dd..cf278037ea094b06d0dbf42212bba3da3e49a6a7 100644 --- a/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java +++ b/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java @@ -33,7 +33,7 @@ import org.junit.Test; /** * Unit tests for {@link org.apache.commons.fileupload.DefaultFileItem}. * - * @version $Id: DefaultFileItemTest.java 1565246 2014-02-06 13:40:52Z ggregory $ + * @version $Id$ */ @SuppressWarnings({"deprecation", "javadoc"}) // unit tests for deprecated class public class DefaultFileItemTest { diff --git a/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java b/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java index 89c07d88fbea03fd7bbc961e69952a8e3687344c..fb8e6e1fd2f432fdb7f7893b7fa37fcae986aa6a 100644 --- a/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java +++ b/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java @@ -30,18 +30,22 @@ import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.OutputStream; +import org.apache.commons.fileupload.disk.DiskFileItem; import org.apache.commons.fileupload.disk.DiskFileItemFactory; import org.junit.Test; + /** * Serialization Unit tests for * {@link org.apache.commons.fileupload.disk.DiskFileItem}. * - * @version $Id: DiskFileItemSerializeTest.java 1507048 2013-07-25 16:16:15Z markt $ + * @version $Id$ */ public class DiskFileItemSerializeTest { - /** + private static final String ERRMSG_DISKFILEITEM_DESERIALIZED = "Property org.apache.commons.fileupload.disk.DiskFileItem.serializable is not true, rejecting to deserialize a DiskFileItem."; + + /** * Content type for regular form items. */ private static final String textContentType = "text/plain"; @@ -63,7 +67,7 @@ public class DiskFileItemSerializeTest { compareBytes("Initial", item.get(), testFieldValueBytes); // Serialize & Deserialize - FileItem newItem = (FileItem)serializeDeserialize(item); + FileItem newItem = (FileItem)serializeDeserialize(item); // Test deserialized content is as expected assertTrue("Check in memory", newItem.isInMemory()); @@ -154,13 +158,19 @@ public class DiskFileItemSerializeTest { /** * Test deserialization fails when repository contains a null character. */ - @Test(expected=IOException.class) + @Test public void testInvalidRepositoryWithNullChar() throws Exception { // Create the FileItem byte[] testFieldValueBytes = createContentBytes(threshold); File repository = new File(System.getProperty("java.io.tmpdir") + "\0"); FileItem item = createFileItem(testFieldValueBytes, repository); - deserialize(serialize(item)); + try { + deserialize(serialize(item)); + fail("Expected Exception"); + } catch (IllegalStateException e) { + assertEquals(ERRMSG_DISKFILEITEM_DESERIALIZED, e.getMessage()); + } + System.setProperty(DiskFileItem.SERIALIZABLE_PROPERTY, "true"); } /** diff --git a/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java b/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java index d5310f84a6436836f6f7cafce90f91f3f0fc070e..131985b05766fe546ba03b3b6f58a88238752896 100644 --- a/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java +++ b/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java @@ -27,7 +27,7 @@ import org.apache.commons.fileupload.servlet.ServletFileUpload; /** * Base class for deriving test cases. * - * @version $Id: FileUploadTestCase.java 1454693 2013-03-09 12:30:27Z simonetripodi $ + * @version $Id$ */ public abstract class FileUploadTestCase { diff --git a/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java b/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java index 924aaeb6359072dc8f1a5b306805a0d6808b9b33..0f478ddc84de39915901517d656b24e9d10bbbbb 100644 --- a/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java +++ b/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java @@ -19,7 +19,7 @@ package org.apache.commons.fileupload; import javax.servlet.http.HttpServletRequest; /** - * @version $Id: HttpServletRequestFactory.java 1565246 2014-02-06 13:40:52Z ggregory $ + * @version $Id$ */ final class HttpServletRequestFactory { diff --git a/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java b/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java index 63225dd0a3bf085480b1aefe4715242b1ba12355..f324929aa9c06d840e64f385ed6a7864df9ff64b 100644 --- a/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java +++ b/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java @@ -33,7 +33,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; /** - * @version $Id: MockHttpServletRequest.java 1565255 2014-02-06 13:49:17Z ggregory $ + * @version $Id$ */ class MockHttpServletRequest implements HttpServletRequest { diff --git a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java index 128046abeaefe165769e6fc0a9f1d08074873e96..af708c1c88e9aaa0a52e782f32f07783bd8cd76e 100644 --- a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java +++ b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java @@ -26,7 +26,7 @@ import org.junit.Test; /** * Unit tests {@link org.apache.commons.fileupload.MultipartStream}. * - * @version $Id: MultipartStreamTest.java 1565190 2014-02-06 12:01:48Z markt $ + * @version $Id$ */ public class MultipartStreamTest { diff --git a/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java b/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java index db98d701fb530b7181c493e95ef3b2cde3880964..4e55c7759f14c98860e8d303e185b413655a4d5d 100644 --- a/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java +++ b/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java @@ -26,7 +26,7 @@ import org.junit.Test; /** * Unit tests for {@link ParameterParser}. * - * @version $Id: ParameterParserTest.java 1455521 2013-03-12 13:18:01Z simonetripodi $ + * @version $Id$ */ public class ParameterParserTest { diff --git a/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java b/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java index 8ad55c1e0158306f771fbf6a81106b34bea48894..884f8f867399b27e69ab500099aa97e22cf7a06e 100644 --- a/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java +++ b/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java @@ -30,7 +30,7 @@ import org.junit.Test; /** * Tests the progress listener. * - * @version $Id: ProgressListenerTest.java 1454693 2013-03-09 12:30:27Z simonetripodi $ + * @version $Id$ */ public class ProgressListenerTest extends FileUploadTestCase { diff --git a/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java b/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java index 8d7503c4540d56f8c7b66b2aaac5e13e15b2a12e..27c1ec80c5033e594d569e4c78a9e6ede7f92aa1 100644 --- a/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java +++ b/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java @@ -36,7 +36,7 @@ import org.junit.Test; /** * Unit tests {@link org.apache.commons.fileupload.DiskFileUpload}. * - * @version $Id: ServletFileUploadTest.java 1564788 2014-02-05 14:36:41Z markt $ + * @version $Id$ */ @SuppressWarnings({"deprecation", "javadoc"}) // unit tests for deprecated class public class ServletFileUploadTest extends FileUploadTestCase { diff --git a/src/test/java/org/apache/commons/fileupload/SizesTest.java b/src/test/java/org/apache/commons/fileupload/SizesTest.java index 3e9354edf45edf89d98ff1bced78a01d396d640e..a2a65364d317ecabc6871931c18e6b6313d01346 100644 --- a/src/test/java/org/apache/commons/fileupload/SizesTest.java +++ b/src/test/java/org/apache/commons/fileupload/SizesTest.java @@ -39,7 +39,7 @@ import org.junit.Test; /** * Unit test for items with varying sizes. * - * @version $Id: SizesTest.java 1458684 2013-03-20 08:31:53Z simonetripodi $ + * @version $Id$ */ public class SizesTest extends FileUploadTestCase { diff --git a/src/test/java/org/apache/commons/fileupload/StreamingTest.java b/src/test/java/org/apache/commons/fileupload/StreamingTest.java index 256c9f8ef5328a2da1211fdc4b302c0fc07e3d55..030c0eea4957d13de7cb1d4d66afcf03859b8c97 100644 --- a/src/test/java/org/apache/commons/fileupload/StreamingTest.java +++ b/src/test/java/org/apache/commons/fileupload/StreamingTest.java @@ -36,7 +36,7 @@ import junit.framework.TestCase; /** * Unit test for items with varying sizes. * - * @version $Id: StreamingTest.java 1454693 2013-03-09 12:30:27Z simonetripodi $ + * @version $Id$ */ public class StreamingTest extends TestCase {