001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.commons.fileupload.disk; 018 019import java.io.File; 020 021import org.apache.commons.fileupload.FileItem; 022import org.apache.commons.fileupload.FileItemFactory; 023import org.apache.commons.io.FileCleaningTracker; 024 025/** 026 * <p>The default {@link org.apache.commons.fileupload.FileItemFactory} 027 * implementation. This implementation creates 028 * {@link org.apache.commons.fileupload.FileItem} instances which keep their 029 * content either in memory, for smaller items, or in a temporary file on disk, 030 * for larger items. The size threshold, above which content will be stored on 031 * disk, is configurable, as is the directory in which temporary files will be 032 * created.</p> 033 * 034 * <p>If not otherwise configured, the default configuration values are as 035 * follows:</p> 036 * <ul> 037 * <li>Size threshold is 10KB.</li> 038 * <li>Repository is the system default temp directory, as returned by 039 * <code>System.getProperty("java.io.tmpdir")</code>.</li> 040 * </ul> 041 * <p> 042 * <b>NOTE</b>: Files are created in the system default temp directory with 043 * predictable names. This means that a local attacker with write access to that 044 * directory can perform a TOUTOC attack to replace any uploaded file with a 045 * file of the attackers choice. The implications of this will depend on how the 046 * uploaded file is used but could be significant. When using this 047 * implementation in an environment with local, untrusted users, 048 * {@link #setRepository(File)} MUST be used to configure a repository location 049 * that is not publicly writable. In a Servlet container the location identified 050 * by the ServletContext attribute <code>javax.servlet.context.tempdir</code> 051 * may be used. 052 * </p> 053 * 054 * <p>Temporary files, which are created for file items, should be 055 * deleted later on. The best way to do this is using a 056 * {@link FileCleaningTracker}, which you can set on the 057 * {@link DiskFileItemFactory}. However, if you do use such a tracker, 058 * then you must consider the following: Temporary files are automatically 059 * deleted as soon as they are no longer needed. (More precisely, when the 060 * corresponding instance of {@link java.io.File} is garbage collected.) 061 * This is done by the so-called reaper thread, which is started and stopped 062 * automatically by the {@link FileCleaningTracker} when there are files to be 063 * tracked. 064 * It might make sense to terminate that thread, for example, if 065 * your web application ends. See the section on "Resource cleanup" 066 * in the users guide of commons-fileupload.</p> 067 * 068 * @since FileUpload 1.1 069 */ 070public class DiskFileItemFactory implements FileItemFactory { 071 072 // ----------------------------------------------------- Manifest constants 073 074 /** 075 * The default threshold above which uploads will be stored on disk. 076 */ 077 public static final int DEFAULT_SIZE_THRESHOLD = 10240; 078 079 // ----------------------------------------------------- Instance Variables 080 081 /** 082 * The directory in which uploaded files will be stored, if stored on disk. 083 */ 084 private File repository; 085 086 /** 087 * The threshold above which uploads will be stored on disk. 088 */ 089 private int sizeThreshold = DEFAULT_SIZE_THRESHOLD; 090 091 /** 092 * <p>The instance of {@link FileCleaningTracker}, which is responsible 093 * for deleting temporary files.</p> 094 * <p>May be null, if tracking files is not required.</p> 095 */ 096 private FileCleaningTracker fileCleaningTracker; 097 098 // ----------------------------------------------------------- Constructors 099 100 /** 101 * Constructs an unconfigured instance of this class. The resulting factory 102 * may be configured by calling the appropriate setter methods. 103 */ 104 public DiskFileItemFactory() { 105 this(DEFAULT_SIZE_THRESHOLD, null); 106 } 107 108 /** 109 * Constructs a preconfigured instance of this class. 110 * 111 * @param sizeThreshold The threshold, in bytes, below which items will be 112 * retained in memory and above which they will be 113 * stored as a file. 114 * @param repository The data repository, which is the directory in 115 * which files will be created, should the item size 116 * exceed the threshold. 117 */ 118 public DiskFileItemFactory(int sizeThreshold, File repository) { 119 this.sizeThreshold = sizeThreshold; 120 this.repository = repository; 121 } 122 123 // ------------------------------------------------------------- Properties 124 125 /** 126 * Returns the directory used to temporarily store files that are larger 127 * than the configured size threshold. 128 * 129 * @return The directory in which temporary files will be located. 130 * 131 * @see #setRepository(java.io.File) 132 * 133 */ 134 public File getRepository() { 135 return repository; 136 } 137 138 /** 139 * Sets the directory used to temporarily store files that are larger 140 * than the configured size threshold. 141 * 142 * @param repository The directory in which temporary files will be located. 143 * 144 * @see #getRepository() 145 * 146 */ 147 public void setRepository(File repository) { 148 this.repository = repository; 149 } 150 151 /** 152 * Returns the size threshold beyond which files are written directly to 153 * disk. The default value is 10240 bytes. 154 * 155 * @return The size threshold, in bytes. 156 * 157 * @see #setSizeThreshold(int) 158 */ 159 public int getSizeThreshold() { 160 return sizeThreshold; 161 } 162 163 /** 164 * Sets the size threshold beyond which files are written directly to disk. 165 * 166 * @param sizeThreshold The size threshold, in bytes. 167 * 168 * @see #getSizeThreshold() 169 * 170 */ 171 public void setSizeThreshold(int sizeThreshold) { 172 this.sizeThreshold = sizeThreshold; 173 } 174 175 // --------------------------------------------------------- Public Methods 176 177 /** 178 * Create a new {@link org.apache.commons.fileupload.disk.DiskFileItem} 179 * instance from the supplied parameters and the local factory 180 * configuration. 181 * 182 * @param fieldName The name of the form field. 183 * @param contentType The content type of the form field. 184 * @param isFormField <code>true</code> if this is a plain form field; 185 * <code>false</code> otherwise. 186 * @param fileName The name of the uploaded file, if any, as supplied 187 * by the browser or other client. 188 * 189 * @return The newly created file item. 190 */ 191 public FileItem createItem(String fieldName, String contentType, 192 boolean isFormField, String fileName) { 193 DiskFileItem result = new DiskFileItem(fieldName, contentType, 194 isFormField, fileName, sizeThreshold, repository); 195 FileCleaningTracker tracker = getFileCleaningTracker(); 196 if (tracker != null) { 197 tracker.track(result.getTempFile(), result); 198 } 199 return result; 200 } 201 202 /** 203 * Returns the tracker, which is responsible for deleting temporary 204 * files. 205 * 206 * @return An instance of {@link FileCleaningTracker}, or null 207 * (default), if temporary files aren't tracked. 208 */ 209 public FileCleaningTracker getFileCleaningTracker() { 210 return fileCleaningTracker; 211 } 212 213 /** 214 * Sets the tracker, which is responsible for deleting temporary 215 * files. 216 * 217 * @param pTracker An instance of {@link FileCleaningTracker}, 218 * which will from now on track the created files, or null 219 * (default), to disable tracking. 220 */ 221 public void setFileCleaningTracker(FileCleaningTracker pTracker) { 222 fileCleaningTracker = pTracker; 223 } 224 225}