1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache License, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 package org.apache.commons.fileupload.disk; 18 19 import java.io.File; 20 21 import org.apache.commons.fileupload.FileItem; 22 import org.apache.commons.fileupload.FileItemFactory; 23 import org.apache.commons.io.FileCleaningTracker; 24 25 /** 26 * <p>The default {@link org.apache.commons.fileupload.FileItemFactory} 27 * implementation. This implementation creates 28 * {@link org.apache.commons.fileupload.FileItem} instances which keep their 29 * content either in memory, for smaller items, or in a temporary file on disk, 30 * for larger items. The size threshold, above which content will be stored on 31 * disk, is configurable, as is the directory in which temporary files will be 32 * created.</p> 33 * 34 * <p>If not otherwise configured, the default configuration values are as 35 * follows:</p> 36 * <ul> 37 * <li>Size threshold is 10KB.</li> 38 * <li>Repository is the system default temp directory, as returned by 39 * <code>System.getProperty("java.io.tmpdir")</code>.</li> 40 * </ul> 41 * <p> 42 * <b>NOTE</b>: Files are created in the system default temp directory with 43 * predictable names. This means that a local attacker with write access to that 44 * directory can perform a TOUTOC attack to replace any uploaded file with a 45 * file of the attackers choice. The implications of this will depend on how the 46 * uploaded file is used but could be significant. When using this 47 * implementation in an environment with local, untrusted users, 48 * {@link #setRepository(File)} MUST be used to configure a repository location 49 * that is not publicly writable. In a Servlet container the location identified 50 * by the ServletContext attribute <code>javax.servlet.context.tempdir</code> 51 * may be used. 52 * </p> 53 * 54 * <p>Temporary files, which are created for file items, should be 55 * deleted later on. The best way to do this is using a 56 * {@link FileCleaningTracker}, which you can set on the 57 * {@link DiskFileItemFactory}. However, if you do use such a tracker, 58 * then you must consider the following: Temporary files are automatically 59 * deleted as soon as they are no longer needed. (More precisely, when the 60 * corresponding instance of {@link java.io.File} is garbage collected.) 61 * This is done by the so-called reaper thread, which is started and stopped 62 * automatically by the {@link FileCleaningTracker} when there are files to be 63 * tracked. 64 * It might make sense to terminate that thread, for example, if 65 * your web application ends. See the section on "Resource cleanup" 66 * in the users guide of commons-fileupload.</p> 67 * 68 * @since FileUpload 1.1 69 */ 70 public class DiskFileItemFactory implements FileItemFactory { 71 72 // ----------------------------------------------------- Manifest constants 73 74 /** 75 * The default threshold above which uploads will be stored on disk. 76 */ 77 public static final int DEFAULT_SIZE_THRESHOLD = 10240; 78 79 // ----------------------------------------------------- Instance Variables 80 81 /** 82 * The directory in which uploaded files will be stored, if stored on disk. 83 */ 84 private File repository; 85 86 /** 87 * The threshold above which uploads will be stored on disk. 88 */ 89 private int sizeThreshold = DEFAULT_SIZE_THRESHOLD; 90 91 /** 92 * <p>The instance of {@link FileCleaningTracker}, which is responsible 93 * for deleting temporary files.</p> 94 * <p>May be null, if tracking files is not required.</p> 95 */ 96 private FileCleaningTracker fileCleaningTracker; 97 98 /** 99 * Default content charset to be used when no explicit charset 100 * parameter is provided by the sender. 101 */ 102 private String defaultCharset = DiskFileItem.DEFAULT_CHARSET; 103 104 // ----------------------------------------------------------- Constructors 105 106 /** 107 * Constructs an unconfigured instance of this class. The resulting factory 108 * may be configured by calling the appropriate setter methods. 109 */ 110 public DiskFileItemFactory() { 111 this(DEFAULT_SIZE_THRESHOLD, null); 112 } 113 114 /** 115 * Constructs a preconfigured instance of this class. 116 * 117 * @param sizeThreshold The threshold, in bytes, below which items will be 118 * retained in memory and above which they will be 119 * stored as a file. 120 * @param repository The data repository, which is the directory in 121 * which files will be created, should the item size 122 * exceed the threshold. 123 */ 124 public DiskFileItemFactory(int sizeThreshold, File repository) { 125 this.sizeThreshold = sizeThreshold; 126 this.repository = repository; 127 } 128 129 // ------------------------------------------------------------- Properties 130 131 /** 132 * Returns the directory used to temporarily store files that are larger 133 * than the configured size threshold. 134 * 135 * @return The directory in which temporary files will be located. 136 * 137 * @see #setRepository(java.io.File) 138 * 139 */ 140 public File getRepository() { 141 return repository; 142 } 143 144 /** 145 * Sets the directory used to temporarily store files that are larger 146 * than the configured size threshold. 147 * 148 * @param repository The directory in which temporary files will be located. 149 * 150 * @see #getRepository() 151 * 152 */ 153 public void setRepository(File repository) { 154 this.repository = repository; 155 } 156 157 /** 158 * Returns the size threshold beyond which files are written directly to 159 * disk. The default value is 10240 bytes. 160 * 161 * @return The size threshold, in bytes. 162 * 163 * @see #setSizeThreshold(int) 164 */ 165 public int getSizeThreshold() { 166 return sizeThreshold; 167 } 168 169 /** 170 * Sets the size threshold beyond which files are written directly to disk. 171 * 172 * @param sizeThreshold The size threshold, in bytes. 173 * 174 * @see #getSizeThreshold() 175 * 176 */ 177 public void setSizeThreshold(int sizeThreshold) { 178 this.sizeThreshold = sizeThreshold; 179 } 180 181 // --------------------------------------------------------- Public Methods 182 183 /** 184 * Create a new {@link org.apache.commons.fileupload.disk.DiskFileItem} 185 * instance from the supplied parameters and the local factory 186 * configuration. 187 * 188 * @param fieldName The name of the form field. 189 * @param contentType The content type of the form field. 190 * @param isFormField <code>true</code> if this is a plain form field; 191 * <code>false</code> otherwise. 192 * @param fileName The name of the uploaded file, if any, as supplied 193 * by the browser or other client. 194 * 195 * @return The newly created file item. 196 */ 197 @Override 198 public FileItem createItem(String fieldName, String contentType, 199 boolean isFormField, String fileName) { 200 DiskFileItem result = new DiskFileItem(fieldName, contentType, 201 isFormField, fileName, sizeThreshold, repository); 202 result.setDefaultCharset(defaultCharset); 203 FileCleaningTracker tracker = getFileCleaningTracker(); 204 if (tracker != null) { 205 tracker.track(result.getTempFile(), result); 206 } 207 return result; 208 } 209 210 /** 211 * Returns the tracker, which is responsible for deleting temporary 212 * files. 213 * 214 * @return An instance of {@link FileCleaningTracker}, or null 215 * (default), if temporary files aren't tracked. 216 */ 217 public FileCleaningTracker getFileCleaningTracker() { 218 return fileCleaningTracker; 219 } 220 221 /** 222 * Sets the tracker, which is responsible for deleting temporary 223 * files. 224 * 225 * @param pTracker An instance of {@link FileCleaningTracker}, 226 * which will from now on track the created files, or null 227 * (default), to disable tracking. 228 */ 229 public void setFileCleaningTracker(FileCleaningTracker pTracker) { 230 fileCleaningTracker = pTracker; 231 } 232 233 /** 234 * Returns the default charset for use when no explicit charset 235 * parameter is provided by the sender. 236 * @return the default charset 237 */ 238 public String getDefaultCharset() { 239 return defaultCharset; 240 } 241 242 /** 243 * Sets the default charset for use when no explicit charset 244 * parameter is provided by the sender. 245 * @param pCharset the default charset 246 */ 247 public void setDefaultCharset(String pCharset) { 248 defaultCharset = pCharset; 249 } 250 }