1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache License, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 package org.apache.commons.fileupload.disk; 18 19 import java.io.File; 20 21 import org.apache.commons.fileupload.FileItem; 22 import org.apache.commons.fileupload.FileItemFactory; 23 import org.apache.commons.io.FileCleaningTracker; 24 25 /** 26 * <p>The default {@link org.apache.commons.fileupload.FileItemFactory} 27 * implementation. This implementation creates 28 * {@link org.apache.commons.fileupload.FileItem} instances which keep their 29 * content either in memory, for smaller items, or in a temporary file on disk, 30 * for larger items. The size threshold, above which content will be stored on 31 * disk, is configurable, as is the directory in which temporary files will be 32 * created.</p> 33 * 34 * <p>If not otherwise configured, the default configuration values are as 35 * follows:</p> 36 * <ul> 37 * <li>Size threshold is 10KB.</li> 38 * <li>Repository is the system default temp directory, as returned by 39 * <code>System.getProperty("java.io.tmpdir")</code>.</li> 40 * </ul> 41 * <p> 42 * <b>NOTE</b>: Files are created in the system default temp directory with 43 * predictable names. This means that a local attacker with write access to that 44 * directory can perform a TOUTOC attack to replace any uploaded file with a 45 * file of the attackers choice. The implications of this will depend on how the 46 * uploaded file is used but could be significant. When using this 47 * implementation in an environment with local, untrusted users, 48 * {@link #setRepository(File)} MUST be used to configure a repository location 49 * that is not publicly writable. In a Servlet container the location identified 50 * by the ServletContext attribute <code>javax.servlet.context.tempdir</code> 51 * may be used. 52 * </p> 53 * 54 * <p>Temporary files, which are created for file items, should be 55 * deleted later on. The best way to do this is using a 56 * {@link FileCleaningTracker}, which you can set on the 57 * {@link DiskFileItemFactory}. However, if you do use such a tracker, 58 * then you must consider the following: Temporary files are automatically 59 * deleted as soon as they are no longer needed. (More precisely, when the 60 * corresponding instance of {@link java.io.File} is garbage collected.) 61 * This is done by the so-called reaper thread, which is started and stopped 62 * automatically by the {@link FileCleaningTracker} when there are files to be 63 * tracked. 64 * It might make sense to terminate that thread, for example, if 65 * your web application ends. See the section on "Resource cleanup" 66 * in the users guide of commons-fileupload.</p> 67 * 68 * @since FileUpload 1.1 69 */ 70 public class DiskFileItemFactory implements FileItemFactory { 71 72 // ----------------------------------------------------- Manifest constants 73 74 /** 75 * The default threshold above which uploads will be stored on disk. 76 */ 77 public static final int DEFAULT_SIZE_THRESHOLD = 10240; 78 79 // ----------------------------------------------------- Instance Variables 80 81 /** 82 * The directory in which uploaded files will be stored, if stored on disk. 83 */ 84 private File repository; 85 86 /** 87 * The threshold above which uploads will be stored on disk. 88 */ 89 private int sizeThreshold = DEFAULT_SIZE_THRESHOLD; 90 91 /** 92 * <p>The instance of {@link FileCleaningTracker}, which is responsible 93 * for deleting temporary files.</p> 94 * <p>May be null, if tracking files is not required.</p> 95 */ 96 private FileCleaningTracker fileCleaningTracker; 97 98 // ----------------------------------------------------------- Constructors 99 100 /** 101 * Constructs an unconfigured instance of this class. The resulting factory 102 * may be configured by calling the appropriate setter methods. 103 */ 104 public DiskFileItemFactory() { 105 this(DEFAULT_SIZE_THRESHOLD, null); 106 } 107 108 /** 109 * Constructs a preconfigured instance of this class. 110 * 111 * @param sizeThreshold The threshold, in bytes, below which items will be 112 * retained in memory and above which they will be 113 * stored as a file. 114 * @param repository The data repository, which is the directory in 115 * which files will be created, should the item size 116 * exceed the threshold. 117 */ 118 public DiskFileItemFactory(int sizeThreshold, File repository) { 119 this.sizeThreshold = sizeThreshold; 120 this.repository = repository; 121 } 122 123 // ------------------------------------------------------------- Properties 124 125 /** 126 * Returns the directory used to temporarily store files that are larger 127 * than the configured size threshold. 128 * 129 * @return The directory in which temporary files will be located. 130 * 131 * @see #setRepository(java.io.File) 132 * 133 */ 134 public File getRepository() { 135 return repository; 136 } 137 138 /** 139 * Sets the directory used to temporarily store files that are larger 140 * than the configured size threshold. 141 * 142 * @param repository The directory in which temporary files will be located. 143 * 144 * @see #getRepository() 145 * 146 */ 147 public void setRepository(File repository) { 148 this.repository = repository; 149 } 150 151 /** 152 * Returns the size threshold beyond which files are written directly to 153 * disk. The default value is 10240 bytes. 154 * 155 * @return The size threshold, in bytes. 156 * 157 * @see #setSizeThreshold(int) 158 */ 159 public int getSizeThreshold() { 160 return sizeThreshold; 161 } 162 163 /** 164 * Sets the size threshold beyond which files are written directly to disk. 165 * 166 * @param sizeThreshold The size threshold, in bytes. 167 * 168 * @see #getSizeThreshold() 169 * 170 */ 171 public void setSizeThreshold(int sizeThreshold) { 172 this.sizeThreshold = sizeThreshold; 173 } 174 175 // --------------------------------------------------------- Public Methods 176 177 /** 178 * Create a new {@link org.apache.commons.fileupload.disk.DiskFileItem} 179 * instance from the supplied parameters and the local factory 180 * configuration. 181 * 182 * @param fieldName The name of the form field. 183 * @param contentType The content type of the form field. 184 * @param isFormField <code>true</code> if this is a plain form field; 185 * <code>false</code> otherwise. 186 * @param fileName The name of the uploaded file, if any, as supplied 187 * by the browser or other client. 188 * 189 * @return The newly created file item. 190 */ 191 public FileItem createItem(String fieldName, String contentType, 192 boolean isFormField, String fileName) { 193 DiskFileItem result = new DiskFileItem(fieldName, contentType, 194 isFormField, fileName, sizeThreshold, repository); 195 FileCleaningTracker tracker = getFileCleaningTracker(); 196 if (tracker != null) { 197 tracker.track(result.getTempFile(), result); 198 } 199 return result; 200 } 201 202 /** 203 * Returns the tracker, which is responsible for deleting temporary 204 * files. 205 * 206 * @return An instance of {@link FileCleaningTracker}, or null 207 * (default), if temporary files aren't tracked. 208 */ 209 public FileCleaningTracker getFileCleaningTracker() { 210 return fileCleaningTracker; 211 } 212 213 /** 214 * Sets the tracker, which is responsible for deleting temporary 215 * files. 216 * 217 * @param pTracker An instance of {@link FileCleaningTracker}, 218 * which will from now on track the created files, or null 219 * (default), to disable tracking. 220 */ 221 public void setFileCleaningTracker(FileCleaningTracker pTracker) { 222 fileCleaningTracker = pTracker; 223 } 224 225 }