From 1e233b930c46ad9525f9978d39649f48648000ba Mon Sep 17 00:00:00 2001
From: Emmanuel Bourg <ebourg@apache.org>
Date: Fri, 23 Jun 2017 10:42:58 +0200
Subject: [PATCH] New upstream version 1.3.3
---
NOTICE.txt | 2 +-
RELEASE-NOTES.txt | 10 ++---
pom.xml | 30 +++++++++++----
src/changes/changes.xml | 8 +++-
src/changes/release-notes.vm | 2 +-
src/main/assembly/bin.xml | 11 ++++--
.../commons/fileupload/DefaultFileItem.java | 2 +-
.../fileupload/DefaultFileItemFactory.java | 2 +-
.../commons/fileupload/DiskFileUpload.java | 2 +-
.../apache/commons/fileupload/FileItem.java | 2 +-
.../commons/fileupload/FileItemFactory.java | 2 +-
.../commons/fileupload/FileItemIterator.java | 2 +-
.../commons/fileupload/FileItemStream.java | 2 +-
.../apache/commons/fileupload/FileUpload.java | 2 +-
.../commons/fileupload/FileUploadBase.java | 2 +-
.../fileupload/FileUploadException.java | 2 +-
.../fileupload/InvalidFileNameException.java | 2 +-
.../commons/fileupload/MultipartStream.java | 2 +-
.../commons/fileupload/ParameterParser.java | 2 +-
.../commons/fileupload/ProgressListener.java | 2 +-
.../commons/fileupload/RequestContext.java | 2 +-
.../commons/fileupload/disk/DiskFileItem.java | 12 +++++-
.../fileupload/disk/DiskFileItemFactory.java | 2 +-
.../fileupload/portlet/PortletFileUpload.java | 2 +-
.../portlet/PortletRequestContext.java | 2 +-
.../servlet/FileCleanerCleanup.java | 2 +-
.../fileupload/servlet/ServletFileUpload.java | 2 +-
.../servlet/ServletRequestContext.java | 2 +-
.../commons/fileupload/util/Closeable.java | 2 +-
.../fileupload/util/FileItemHeadersImpl.java | 2 +-
.../fileupload/util/LimitedInputStream.java | 2 +-
.../commons/fileupload/util/Streams.java | 2 +-
src/site/fml/faq.fml | 38 +++++++++++++++++++
src/site/xdoc/download_fileupload.xml | 26 ++++++-------
src/site/xdoc/index.xml | 16 +++++++-
.../fileupload/DefaultFileItemTest.java | 2 +-
.../fileupload/DiskFileItemSerializeTest.java | 20 +++++++---
.../fileupload/FileUploadTestCase.java | 2 +-
.../fileupload/HttpServletRequestFactory.java | 2 +-
.../fileupload/MockHttpServletRequest.java | 2 +-
.../fileupload/MultipartStreamTest.java | 2 +-
.../fileupload/ParameterParserTest.java | 2 +-
.../fileupload/ProgressListenerTest.java | 2 +-
.../fileupload/ServletFileUploadTest.java | 2 +-
.../apache/commons/fileupload/SizesTest.java | 2 +-
.../commons/fileupload/StreamingTest.java | 2 +-
46 files changed, 170 insertions(+), 75 deletions(-)
diff --git a/NOTICE.txt b/NOTICE.txt
index b72a517..5038a44 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -1,5 +1,5 @@
Apache Commons FileUpload
-Copyright 2002-2016 The Apache Software Foundation
+Copyright 2002-2017 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index bc33acb..ac7e3c1 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -1,16 +1,16 @@
- Apache Commons FileUpload 1.3.2 RELEASE NOTES
+ Apache Commons FileUpload 1.3.3 RELEASE NOTES
-The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.2.
+The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 5 or later.
-No client code changes are required to migrate from version 1.3.1 to 1.3.2.
+No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3
-Changes in version 1.3.2 include:
+Changes in version 1.3.3 include:
-o FILEUPLOAD-272: Performance Improvement in MultipartStream
+o FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set.
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
diff --git a/pom.xml b/pom.xml
index 12ccb01..154f19c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,12 +21,12 @@
<parent>
<groupId>org.apache.commons</groupId>
<artifactId>commons-parent</artifactId>
- <version>40</version>
+ <version>41</version>
</parent>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
- <version>1.3.2</version>
+ <version>1.3.3</version>
<name>Apache Commons FileUpload</name>
<description>
@@ -97,6 +97,12 @@
<email>ggregory@apache.org</email>
<organization />
</developer>
+ <developer>
+ <name>Rob Tompkins</name>
+ <id>chtompki</id>
+ <email>chtompki@apache.org</email>
+ <organization />
+ </developer>
</developers>
<contributors>
@@ -167,9 +173,10 @@
</contributors>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2</developerConnection>
- <url>http://svn.apache.org/viewvc/commons/proper/fileupload/tags/FILEUPLOAD_1_3_2</url>
+ <connection>scm:git:http://git-wip-us.apache.org/repos/asf/commons-fileupload.git</connection>
+ <developerConnection>scm:git:https://git-wip-us.apache.org/repos/asf/commons-fileupload.git</developerConnection>
+ <url>https://git-wip-us.apache.org/repos/asf?p=commons-fileupload.git</url>
+ <tag>commons-fileupload-1.3.3-RC6</tag>
</scm>
<issueManagement>
<system>jira</system>
@@ -181,13 +188,14 @@
<maven.compiler.target>1.5</maven.compiler.target>
<maven.compile.encoding>ISO-8859-1</maven.compile.encoding>
<commons.componentid>fileupload</commons.componentid>
- <commons.release.version>1.3.2</commons.release.version>
+ <commons.release.version>1.3.3</commons.release.version>
<commons.rc.version>RC1</commons.rc.version>
<commons.jira.id>FILEUPLOAD</commons.jira.id>
<commons.jira.pid>12310476</commons.jira.pid>
<commons.osgi.export>!org.apache.commons.fileupload.util.mime,org.apache.commons.*;version=${project.version};-noimport:=true</commons.osgi.export>
<commons.osgi.import>!javax.portlet,*</commons.osgi.import>
<commons.osgi.dynamicImport>javax.portlet</commons.osgi.dynamicImport>
+ <project.scm.id>git-wip-us.apache.org</project.scm.id>
</properties>
<dependencies>
@@ -232,12 +240,19 @@
<artifactId>maven-release-plugin</artifactId>
<configuration>
<preparationGoals>clean site verify</preparationGoals>
- <goals>deploy</goals>
+ <goals>clean site deploy</goals>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-release-plugin</artifactId>
+ <configuration>
+ <tagBase>https://svn.apache.org/repos/asf/commons/proper/fileupload/tags</tagBase>
+ </configuration>
+ </plugin>
<!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.-->
<plugin>
<groupId>org.eclipse.m2e</groupId>
@@ -320,5 +335,4 @@
</plugin>
</plugins>
</reporting>
-
</project>
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index bc1b921..73f2613 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -43,7 +43,13 @@ The <action> type attribute can be add,update,fix,remove.
</properties>
<body>
- <release version="1.3.2" description="Bugfix release for 1.3.1" date="tba">
+ <release version="1.3.3" description="Bugfix release for 1.3.2" date="tba">
+ <action issue="FILEUPLOAD-279" dev="jochen" type="fix">
+ DiskDileItem can actually no longer be deserialized, unless a system property is set to true.
+ </action>
+ </release>
+
+ <release version="1.3.2" description="Bugfix release for 1.3.1" date="2016.05-26">
<action issue="FILEUPLOAD-272" dev="jochen" type="update">
Performance Improvement in MultipartStream
</action>
diff --git a/src/changes/release-notes.vm b/src/changes/release-notes.vm
index ddcbff7..5b2f547 100644
--- a/src/changes/release-notes.vm
+++ b/src/changes/release-notes.vm
@@ -22,7 +22,7 @@ The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 5 or later.
-No client code changes are required to migrate from version 1.3.0 to 1.3.1.
+No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2 to 1.3.3.
## N.B. the available variables are described here:
diff --git a/src/main/assembly/bin.xml b/src/main/assembly/bin.xml
index d536d6e..353e51a 100644
--- a/src/main/assembly/bin.xml
+++ b/src/main/assembly/bin.xml
@@ -30,14 +30,19 @@
<includes>
<include>LICENSE.txt</include>
<include>NOTICE.txt</include>
+ <include>RELEASE-NOTES.txt</include>
</includes>
</fileSet>
<fileSet>
- <directory>${project.build.directory}</directory>
- <outputDirectory>lib</outputDirectory>
+ <directory>target</directory>
+ <outputDirectory></outputDirectory>
<includes>
- <include>${project.build.finalName}.jar</include>
+ <include>*.jar</include>
</includes>
</fileSet>
+ <fileSet>
+ <directory>target/site/apidocs</directory>
+ <outputDirectory>apidocs</outputDirectory>
+ </fileSet>
</fileSets>
</assembly>
diff --git a/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java b/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java
index 0265dd9..c5e4c8c 100644
--- a/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java
+++ b/src/main/java/org/apache/commons/fileupload/DefaultFileItem.java
@@ -32,7 +32,7 @@ import org.apache.commons.fileupload.disk.DiskFileItem;
* {@link #getInputStream()} and process the file without attempting to load
* it into memory, which may come handy with large files.
*
- * @version $Id: DefaultFileItem.java 1454690 2013-03-09 12:08:48Z simonetripodi $
+ * @version $Id$
*
* @deprecated 1.1 Use <code>DiskFileItem</code> instead.
*/
diff --git a/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java b/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java
index ea38062..6fecb37 100644
--- a/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java
+++ b/src/main/java/org/apache/commons/fileupload/DefaultFileItemFactory.java
@@ -36,7 +36,7 @@ import org.apache.commons.fileupload.disk.DiskFileItemFactory;
* <code>System.getProperty("java.io.tmpdir")</code>.</li>
* </ul>
*
- * @version $Id: DefaultFileItemFactory.java 1743630 2016-05-13 09:20:45Z jochen $
+ * @version $Id$
*
* @deprecated 1.1 Use <code>DiskFileItemFactory</code> instead.
*/
diff --git a/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java b/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java
index 97f3c9b..3b4c212 100644
--- a/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java
+++ b/src/main/java/org/apache/commons/fileupload/DiskFileUpload.java
@@ -34,7 +34,7 @@ import javax.servlet.http.HttpServletRequest;
* depending on their size, and will be available as {@link
* org.apache.commons.fileupload.FileItem}s.</p>
*
- * @version $Id: DiskFileUpload.java 1454690 2013-03-09 12:08:48Z simonetripodi $
+ * @version $Id$
*
* @deprecated 1.1 Use <code>ServletFileUpload</code> together with
* <code>DiskFileItemFactory</code> instead.
diff --git a/src/main/java/org/apache/commons/fileupload/FileItem.java b/src/main/java/org/apache/commons/fileupload/FileItem.java
index d1b5c18..484719f 100644
--- a/src/main/java/org/apache/commons/fileupload/FileItem.java
+++ b/src/main/java/org/apache/commons/fileupload/FileItem.java
@@ -43,7 +43,7 @@ import java.io.UnsupportedEncodingException;
* implementation of this interface to also implement
* <code>javax.activation.DataSource</code> with minimal additional work.
*
- * @version $Id: FileItem.java 1454690 2013-03-09 12:08:48Z simonetripodi $
+ * @version $Id$
* @since 1.3 additionally implements FileItemHeadersSupport
*/
public interface FileItem extends Serializable, FileItemHeadersSupport {
diff --git a/src/main/java/org/apache/commons/fileupload/FileItemFactory.java b/src/main/java/org/apache/commons/fileupload/FileItemFactory.java
index 1e60b18..a576a33 100644
--- a/src/main/java/org/apache/commons/fileupload/FileItemFactory.java
+++ b/src/main/java/org/apache/commons/fileupload/FileItemFactory.java
@@ -21,7 +21,7 @@ package org.apache.commons.fileupload;
* can provide their own custom configuration, over and above that provided
* by the default file upload implementation.</p>
*
- * @version $Id: FileItemFactory.java 1454690 2013-03-09 12:08:48Z simonetripodi $
+ * @version $Id$
*/
public interface FileItemFactory {
diff --git a/src/main/java/org/apache/commons/fileupload/FileItemIterator.java b/src/main/java/org/apache/commons/fileupload/FileItemIterator.java
index 6c71cad..6c4e628 100644
--- a/src/main/java/org/apache/commons/fileupload/FileItemIterator.java
+++ b/src/main/java/org/apache/commons/fileupload/FileItemIterator.java
@@ -22,7 +22,7 @@ import java.io.IOException;
* An iterator, as returned by
* {@link FileUploadBase#getItemIterator(RequestContext)}.
*
- * @version $Id: FileItemIterator.java 1454691 2013-03-09 12:15:54Z simonetripodi $
+ * @version $Id$
*/
public interface FileItemIterator {
diff --git a/src/main/java/org/apache/commons/fileupload/FileItemStream.java b/src/main/java/org/apache/commons/fileupload/FileItemStream.java
index ef49b60..fbb4abc 100644
--- a/src/main/java/org/apache/commons/fileupload/FileItemStream.java
+++ b/src/main/java/org/apache/commons/fileupload/FileItemStream.java
@@ -31,7 +31,7 @@ import java.io.InputStream;
* {@link java.util.Iterator#hasNext()} on the iterator, you discard all data,
* which hasn't been read so far from the previous data.</p>
*
- * @version $Id: FileItemStream.java 1454691 2013-03-09 12:15:54Z simonetripodi $
+ * @version $Id$
*/
public interface FileItemStream extends FileItemHeadersSupport {
diff --git a/src/main/java/org/apache/commons/fileupload/FileUpload.java b/src/main/java/org/apache/commons/fileupload/FileUpload.java
index 7eb19ed..d70cef5 100644
--- a/src/main/java/org/apache/commons/fileupload/FileUpload.java
+++ b/src/main/java/org/apache/commons/fileupload/FileUpload.java
@@ -30,7 +30,7 @@ package org.apache.commons.fileupload;
* used to create them; a given part may be in memory, on disk, or somewhere
* else.</p>
*
- * @version $Id: FileUpload.java 1454690 2013-03-09 12:08:48Z simonetripodi $
+ * @version $Id$
*/
public class FileUpload
extends FileUploadBase {
diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
index 6f2cdd6..b567bd9 100644
--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
@@ -53,7 +53,7 @@ import org.apache.commons.fileupload.util.Streams;
* used to create them; a given part may be in memory, on disk, or somewhere
* else.</p>
*
- * @version $Id: FileUploadBase.java 1743630 2016-05-13 09:20:45Z jochen $
+ * @version $Id$
*/
public abstract class FileUploadBase {
diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadException.java b/src/main/java/org/apache/commons/fileupload/FileUploadException.java
index 799b43c..1c66cb8 100644
--- a/src/main/java/org/apache/commons/fileupload/FileUploadException.java
+++ b/src/main/java/org/apache/commons/fileupload/FileUploadException.java
@@ -22,7 +22,7 @@ import java.io.PrintWriter;
/**
* Exception for errors encountered while processing the request.
*
- * @version $Id: FileUploadException.java 1454690 2013-03-09 12:08:48Z simonetripodi $
+ * @version $Id$
*/
public class FileUploadException extends Exception {
diff --git a/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java b/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java
index 6b930ec..e58f6e8 100644
--- a/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java
+++ b/src/main/java/org/apache/commons/fileupload/InvalidFileNameException.java
@@ -26,7 +26,7 @@ package org.apache.commons.fileupload;
* C library, it might create a file named "foo.exe", as the NUL
* character is the string terminator in C.
*
- * @version $Id: InvalidFileNameException.java 1454691 2013-03-09 12:15:54Z simonetripodi $
+ * @version $Id$
*/
public class InvalidFileNameException extends RuntimeException {
diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
index 7007c7b..045dac3 100644
--- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
@@ -81,7 +81,7 @@ import org.apache.commons.fileupload.util.Streams;
* }
* </pre>
*
- * @version $Id: MultipartStream.java 1745065 2016-05-22 14:56:37Z britter $
+ * @version $Id$
*/
public class MultipartStream {
diff --git a/src/main/java/org/apache/commons/fileupload/ParameterParser.java b/src/main/java/org/apache/commons/fileupload/ParameterParser.java
index 892684c..3db521a 100644
--- a/src/main/java/org/apache/commons/fileupload/ParameterParser.java
+++ b/src/main/java/org/apache/commons/fileupload/ParameterParser.java
@@ -34,7 +34,7 @@ import org.apache.commons.fileupload.util.mime.MimeUtility;
* <code>param1 = value; param2 = "anything goes; really"; param3</code>
* </p>
*
- * @version $Id: ParameterParser.java 1565253 2014-02-06 13:48:16Z ggregory $
+ * @version $Id$
*/
public class ParameterParser {
diff --git a/src/main/java/org/apache/commons/fileupload/ProgressListener.java b/src/main/java/org/apache/commons/fileupload/ProgressListener.java
index e65e362..30d7209 100644
--- a/src/main/java/org/apache/commons/fileupload/ProgressListener.java
+++ b/src/main/java/org/apache/commons/fileupload/ProgressListener.java
@@ -20,7 +20,7 @@ package org.apache.commons.fileupload;
* The {@link ProgressListener} may be used to display a progress bar
* or do stuff like that.
*
- * @version $Id: ProgressListener.java 1454691 2013-03-09 12:15:54Z simonetripodi $
+ * @version $Id$
*/
public interface ProgressListener {
diff --git a/src/main/java/org/apache/commons/fileupload/RequestContext.java b/src/main/java/org/apache/commons/fileupload/RequestContext.java
index 5812f61..bd2b83c 100644
--- a/src/main/java/org/apache/commons/fileupload/RequestContext.java
+++ b/src/main/java/org/apache/commons/fileupload/RequestContext.java
@@ -26,7 +26,7 @@ import java.io.IOException;
*
* @since FileUpload 1.1
*
- * @version $Id: RequestContext.java 1455861 2013-03-13 10:12:09Z simonetripodi $
+ * @version $Id$
*/
public interface RequestContext {
diff --git a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
index 550a7ed..00eda95 100644
--- a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+++ b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
@@ -71,11 +71,17 @@ import org.apache.commons.io.output.DeferredFileOutputStream;
*
* @since FileUpload 1.1
*
- * @version $Id: DiskFileItem.java 1565192 2014-02-06 12:14:16Z markt $
+ * @version $Id$
*/
public class DiskFileItem
implements FileItem {
+ /**
+ * Although it implements {@link java.io.Serializable}, a DiskFileItem can actually only be deserialized,
+ * if this System property is true.
+ */
+ public static final String SERIALIZABLE_PROPERTY = DiskFileItem.class.getName() + ".serializable";
+
// ----------------------------------------------------- Manifest constants
/**
@@ -654,6 +660,10 @@ public class DiskFileItem
*/
private void readObject(ObjectInputStream in)
throws IOException, ClassNotFoundException {
+ if (!Boolean.getBoolean(SERIALIZABLE_PROPERTY)) {
+ throw new IllegalStateException("Property " + SERIALIZABLE_PROPERTY
+ + " is not true, rejecting to deserialize a DiskFileItem.");
+ }
// read values
in.defaultReadObject();
diff --git a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
index 7334338..7f31ff7 100644
--- a/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
+++ b/src/main/java/org/apache/commons/fileupload/disk/DiskFileItemFactory.java
@@ -67,7 +67,7 @@ import org.apache.commons.io.FileCleaningTracker;
*
* @since FileUpload 1.1
*
- * @version $Id: DiskFileItemFactory.java 1564788 2014-02-05 14:36:41Z markt $
+ * @version $Id$
*/
public class DiskFileItemFactory implements FileItemFactory {
diff --git a/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java b/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java
index 2c1455d..3564f3f 100644
--- a/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java
+++ b/src/main/java/org/apache/commons/fileupload/portlet/PortletFileUpload.java
@@ -46,7 +46,7 @@ import org.apache.commons.fileupload.FileUploadException;
*
* @since FileUpload 1.1
*
- * @version $Id: PortletFileUpload.java 1455537 2013-03-12 14:06:11Z simonetripodi $
+ * @version $Id$
*/
public class PortletFileUpload extends FileUpload {
diff --git a/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java b/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java
index c2b5d61..66a2e5c 100644
--- a/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java
+++ b/src/main/java/org/apache/commons/fileupload/portlet/PortletRequestContext.java
@@ -32,7 +32,7 @@ import org.apache.commons.fileupload.UploadContext;
*
* @since FileUpload 1.1
*
- * @version $Id: PortletRequestContext.java 1564788 2014-02-05 14:36:41Z markt $
+ * @version $Id$
*/
public class PortletRequestContext implements UploadContext {
diff --git a/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java b/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java
index 8e6cbd0..e0aa5e1 100644
--- a/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java
+++ b/src/main/java/org/apache/commons/fileupload/servlet/FileCleanerCleanup.java
@@ -27,7 +27,7 @@ import org.apache.commons.io.FileCleaningTracker;
* {@link FileCleaningTracker}'s reaper thread is terminated,
* when the web application is destroyed.
*
- * @version $Id: FileCleanerCleanup.java 1564788 2014-02-05 14:36:41Z markt $
+ * @version $Id$
*/
public class FileCleanerCleanup implements ServletContextListener {
diff --git a/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java b/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java
index 2ea1fd7..a7beb63 100644
--- a/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java
+++ b/src/main/java/org/apache/commons/fileupload/servlet/ServletFileUpload.java
@@ -43,7 +43,7 @@ import org.apache.commons.fileupload.FileUploadException;
* used to create them; a given part may be in memory, on disk, or somewhere
* else.</p>
*
- * @version $Id: ServletFileUpload.java 1455949 2013-03-13 14:14:44Z simonetripodi $
+ * @version $Id$
*/
public class ServletFileUpload extends FileUpload {
diff --git a/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java b/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java
index 622dc5e..4b93846 100644
--- a/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java
+++ b/src/main/java/org/apache/commons/fileupload/servlet/ServletRequestContext.java
@@ -32,7 +32,7 @@ import org.apache.commons.fileupload.UploadContext;
*
* @since FileUpload 1.1
*
- * @version $Id: ServletRequestContext.java 1564788 2014-02-05 14:36:41Z markt $
+ * @version $Id$
*/
public class ServletRequestContext implements UploadContext {
diff --git a/src/main/java/org/apache/commons/fileupload/util/Closeable.java b/src/main/java/org/apache/commons/fileupload/util/Closeable.java
index ae5da9c..dcef1ca 100644
--- a/src/main/java/org/apache/commons/fileupload/util/Closeable.java
+++ b/src/main/java/org/apache/commons/fileupload/util/Closeable.java
@@ -21,7 +21,7 @@ import java.io.IOException;
/**
* Interface of an object, which may be closed.
*
- * @version $Id: Closeable.java 1454691 2013-03-09 12:15:54Z simonetripodi $
+ * @version $Id$
*/
public interface Closeable {
diff --git a/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java b/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java
index d1bc97c..c593b9d 100644
--- a/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java
+++ b/src/main/java/org/apache/commons/fileupload/util/FileItemHeadersImpl.java
@@ -32,7 +32,7 @@ import org.apache.commons.fileupload.FileItemHeaders;
*
* @since 1.2.1
*
- * @version $Id: FileItemHeadersImpl.java 1458379 2013-03-19 16:16:47Z britter $
+ * @version $Id$
*/
public class FileItemHeadersImpl implements FileItemHeaders, Serializable {
diff --git a/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java b/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java
index b2a76dc..002d7da 100644
--- a/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java
+++ b/src/main/java/org/apache/commons/fileupload/util/LimitedInputStream.java
@@ -24,7 +24,7 @@ import java.io.InputStream;
* An input stream, which limits its data size. This stream is
* used, if the content length is unknown.
*
- * @version $Id: LimitedInputStream.java 1565292 2014-02-06 14:51:59Z ggregory $
+ * @version $Id$
*/
public abstract class LimitedInputStream extends FilterInputStream implements Closeable {
diff --git a/src/main/java/org/apache/commons/fileupload/util/Streams.java b/src/main/java/org/apache/commons/fileupload/util/Streams.java
index eafd2d0..9e9d58b 100644
--- a/src/main/java/org/apache/commons/fileupload/util/Streams.java
+++ b/src/main/java/org/apache/commons/fileupload/util/Streams.java
@@ -27,7 +27,7 @@ import org.apache.commons.io.IOUtils;
/**
* Utility class for working with streams.
*
- * @version $Id: Streams.java 1565332 2014-02-06 16:42:19Z ggregory $
+ * @version $Id$
*/
public final class Streams {
diff --git a/src/site/fml/faq.fml b/src/site/fml/faq.fml
index 15bfc76..44ed791 100644
--- a/src/site/fml/faq.fml
+++ b/src/site/fml/faq.fml
@@ -174,4 +174,42 @@ try {
</faq>
</part>
+ <part id="security">
+ <title>FileUpload and Flash</title>
+
+ <faq id="diskfileitem-serializable">
+ <question> I have read, that there is a security problem in Commons FileUpload, because there is a class called
+ DiskFileItem, which can be used for malicious attacks.
+ </question>
+ <answer>
+ <p>
+ It is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and
+ including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly
+ located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to
+ provide specially crafted data, which is being deserialized by a Java application, which has either of the
+ above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being
+ deserialized.
+ </p>
+ <p>
+ That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem
+ class, but the "if" in the previous sentence. A Java application should carefully consider, which classes
+ can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of
+ packages, and/or classes, which may, or may not be deserialized.
+ </p>
+ <p>
+ On the other hand, we acknowledge, that the likelyhood of application container vendors taking such a
+ simple security measure is extremely low. So, in order to support the Commons Fileupload users, we have
+ decided to choose a different approach:
+ </p>
+ <p>
+ Beginning with 1.3.3, the class DiskFileItem is still implementing the interface java.io.Serializable.
+ In other words, it still declares itself as serializable, and deserializable to the JVM. In practice,
+ however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely
+ case, that your application depends on the deserialization of DiskFileItems, you can revert to the
+ previous behaviour by setting the system property "org.apache.commons.fileupload.disk.DiskFileItem.serializable"
+ to "true".
+ </p>
+ </answer>
+ </faq>
+ </part>
</faqs>
diff --git a/src/site/xdoc/download_fileupload.xml b/src/site/xdoc/download_fileupload.xml
index ae4a5e6..ec57a1f 100644
--- a/src/site/xdoc/download_fileupload.xml
+++ b/src/site/xdoc/download_fileupload.xml
@@ -111,32 +111,32 @@ limitations under the License.
</p>
</subsection>
</section>
- <section name="Apache Commons FileUpload 1.3.2 ">
+ <section name="Apache Commons FileUpload 1.3.3 ">
<subsection name="Binaries">
<table>
<tr>
- <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz">commons-fileupload-1.3.2-bin.tar.gz</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz">commons-fileupload-1.3.3-bin.tar.gz</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.md5">md5</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.asc">pgp</a></td>
</tr>
<tr>
- <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip">commons-fileupload-1.3.2-bin.zip</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip">commons-fileupload-1.3.3-bin.zip</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.md5">md5</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.asc">pgp</a></td>
</tr>
</table>
</subsection>
<subsection name="Source">
<table>
<tr>
- <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz">commons-fileupload-1.3.2-src.tar.gz</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz">commons-fileupload-1.3.3-src.tar.gz</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.md5">md5</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.asc">pgp</a></td>
</tr>
<tr>
- <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.2-src.zip">commons-fileupload-1.3.2-src.zip</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.md5">md5</a></td>
- <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.asc">pgp</a></td>
+ <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.3-src.zip">commons-fileupload-1.3.3-src.zip</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.md5">md5</a></td>
+ <td><a href="https://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.asc">pgp</a></td>
</tr>
</table>
</subsection>
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index 1a99d22..c9c0148 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -67,16 +67,28 @@
<section name="Downloading">
<subsection name="Full Releases">
- <p><strong>FileUpload 1.3</strong> - 27 March 2013</p>
+ <p><strong>FileUpload 1.3.2</strong> - 26 May 2016</p>
<ul>
<li>Download the binary and source distributions from a mirror site
<a href="http://commons.apache.org/fileupload/download_fileupload.cgi">here</a>
</li>
</ul>
+ <p><strong>FileUpload 1.3.1</strong> - 7 February 2014</p>
+ <ul>
+ <li>Download the binary and source distributions from the archive site
+ <a href="http://archive.apache.org/dist/commons/fileupload/">here</a>
+ </li>
+ </ul>
+ <p><strong>FileUpload 1.3</strong> - 27 March 2013</p>
+ <ul>
+ <li>Download the binary and source distributions from a mirror site
+ <a href="http://archive.apache.org/dist/commons/fileupload/">here</a>
+ </li>
+ </ul>
<p><strong>FileUpload 1.2.2</strong> - 29 July 2010</p>
<ul>
<li>Download the binary and source distributions from a mirror site
- <a href="http://commons.apache.org/fileupload/download_fileupload.cgi">here</a>
+ <a href="http://archive.apache.org/dist/commons/fileupload/">here</a>
</li>
</ul>
<p><strong>FileUpload 1.2.1</strong> - 18 January 2008</p>
diff --git a/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java b/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java
index 7bacf50..cf27803 100644
--- a/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java
+++ b/src/test/java/org/apache/commons/fileupload/DefaultFileItemTest.java
@@ -33,7 +33,7 @@ import org.junit.Test;
/**
* Unit tests for {@link org.apache.commons.fileupload.DefaultFileItem}.
*
- * @version $Id: DefaultFileItemTest.java 1565246 2014-02-06 13:40:52Z ggregory $
+ * @version $Id$
*/
@SuppressWarnings({"deprecation", "javadoc"}) // unit tests for deprecated class
public class DefaultFileItemTest {
diff --git a/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java b/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java
index 89c07d8..fb8e6e1 100644
--- a/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java
+++ b/src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java
@@ -30,18 +30,22 @@ import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
+import org.apache.commons.fileupload.disk.DiskFileItem;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.junit.Test;
+
/**
* Serialization Unit tests for
* {@link org.apache.commons.fileupload.disk.DiskFileItem}.
*
- * @version $Id: DiskFileItemSerializeTest.java 1507048 2013-07-25 16:16:15Z markt $
+ * @version $Id$
*/
public class DiskFileItemSerializeTest {
- /**
+ private static final String ERRMSG_DISKFILEITEM_DESERIALIZED = "Property org.apache.commons.fileupload.disk.DiskFileItem.serializable is not true, rejecting to deserialize a DiskFileItem.";
+
+ /**
* Content type for regular form items.
*/
private static final String textContentType = "text/plain";
@@ -63,7 +67,7 @@ public class DiskFileItemSerializeTest {
compareBytes("Initial", item.get(), testFieldValueBytes);
// Serialize & Deserialize
- FileItem newItem = (FileItem)serializeDeserialize(item);
+ FileItem newItem = (FileItem)serializeDeserialize(item);
// Test deserialized content is as expected
assertTrue("Check in memory", newItem.isInMemory());
@@ -154,13 +158,19 @@ public class DiskFileItemSerializeTest {
/**
* Test deserialization fails when repository contains a null character.
*/
- @Test(expected=IOException.class)
+ @Test
public void testInvalidRepositoryWithNullChar() throws Exception {
// Create the FileItem
byte[] testFieldValueBytes = createContentBytes(threshold);
File repository = new File(System.getProperty("java.io.tmpdir") + "\0");
FileItem item = createFileItem(testFieldValueBytes, repository);
- deserialize(serialize(item));
+ try {
+ deserialize(serialize(item));
+ fail("Expected Exception");
+ } catch (IllegalStateException e) {
+ assertEquals(ERRMSG_DISKFILEITEM_DESERIALIZED, e.getMessage());
+ }
+ System.setProperty(DiskFileItem.SERIALIZABLE_PROPERTY, "true");
}
/**
diff --git a/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java b/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java
index d5310f8..131985b 100644
--- a/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java
+++ b/src/test/java/org/apache/commons/fileupload/FileUploadTestCase.java
@@ -27,7 +27,7 @@ import org.apache.commons.fileupload.servlet.ServletFileUpload;
/**
* Base class for deriving test cases.
*
- * @version $Id: FileUploadTestCase.java 1454693 2013-03-09 12:30:27Z simonetripodi $
+ * @version $Id$
*/
public abstract class FileUploadTestCase {
diff --git a/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java b/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java
index 924aaeb..0f478dd 100644
--- a/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java
+++ b/src/test/java/org/apache/commons/fileupload/HttpServletRequestFactory.java
@@ -19,7 +19,7 @@ package org.apache.commons.fileupload;
import javax.servlet.http.HttpServletRequest;
/**
- * @version $Id: HttpServletRequestFactory.java 1565246 2014-02-06 13:40:52Z ggregory $
+ * @version $Id$
*/
final class HttpServletRequestFactory {
diff --git a/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java b/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java
index 63225dd..f324929 100644
--- a/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java
+++ b/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java
@@ -33,7 +33,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
/**
- * @version $Id: MockHttpServletRequest.java 1565255 2014-02-06 13:49:17Z ggregory $
+ * @version $Id$
*/
class MockHttpServletRequest implements HttpServletRequest {
diff --git a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
index 128046a..af708c1 100644
--- a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
+++ b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
@@ -26,7 +26,7 @@ import org.junit.Test;
/**
* Unit tests {@link org.apache.commons.fileupload.MultipartStream}.
*
- * @version $Id: MultipartStreamTest.java 1565190 2014-02-06 12:01:48Z markt $
+ * @version $Id$
*/
public class MultipartStreamTest {
diff --git a/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java b/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java
index db98d70..4e55c77 100644
--- a/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java
+++ b/src/test/java/org/apache/commons/fileupload/ParameterParserTest.java
@@ -26,7 +26,7 @@ import org.junit.Test;
/**
* Unit tests for {@link ParameterParser}.
*
- * @version $Id: ParameterParserTest.java 1455521 2013-03-12 13:18:01Z simonetripodi $
+ * @version $Id$
*/
public class ParameterParserTest {
diff --git a/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java b/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java
index 8ad55c1..884f8f8 100644
--- a/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java
+++ b/src/test/java/org/apache/commons/fileupload/ProgressListenerTest.java
@@ -30,7 +30,7 @@ import org.junit.Test;
/**
* Tests the progress listener.
*
- * @version $Id: ProgressListenerTest.java 1454693 2013-03-09 12:30:27Z simonetripodi $
+ * @version $Id$
*/
public class ProgressListenerTest extends FileUploadTestCase {
diff --git a/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java b/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java
index 8d7503c..27c1ec8 100644
--- a/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java
+++ b/src/test/java/org/apache/commons/fileupload/ServletFileUploadTest.java
@@ -36,7 +36,7 @@ import org.junit.Test;
/**
* Unit tests {@link org.apache.commons.fileupload.DiskFileUpload}.
*
- * @version $Id: ServletFileUploadTest.java 1564788 2014-02-05 14:36:41Z markt $
+ * @version $Id$
*/
@SuppressWarnings({"deprecation", "javadoc"}) // unit tests for deprecated class
public class ServletFileUploadTest extends FileUploadTestCase {
diff --git a/src/test/java/org/apache/commons/fileupload/SizesTest.java b/src/test/java/org/apache/commons/fileupload/SizesTest.java
index 3e9354e..a2a6536 100644
--- a/src/test/java/org/apache/commons/fileupload/SizesTest.java
+++ b/src/test/java/org/apache/commons/fileupload/SizesTest.java
@@ -39,7 +39,7 @@ import org.junit.Test;
/**
* Unit test for items with varying sizes.
*
- * @version $Id: SizesTest.java 1458684 2013-03-20 08:31:53Z simonetripodi $
+ * @version $Id$
*/
public class SizesTest extends FileUploadTestCase {
diff --git a/src/test/java/org/apache/commons/fileupload/StreamingTest.java b/src/test/java/org/apache/commons/fileupload/StreamingTest.java
index 256c9f8..030c0ee 100644
--- a/src/test/java/org/apache/commons/fileupload/StreamingTest.java
+++ b/src/test/java/org/apache/commons/fileupload/StreamingTest.java
@@ -36,7 +36,7 @@ import junit.framework.TestCase;
/**
* Unit test for items with varying sizes.
*
- * @version $Id: StreamingTest.java 1454693 2013-03-09 12:30:27Z simonetripodi $
+ * @version $Id$
*/
public class StreamingTest extends TestCase {
--
GitLab