1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache License, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 package org.apache.commons.fileupload.disk; 18 19 import java.io.File; 20 21 import org.apache.commons.fileupload.FileItem; 22 import org.apache.commons.fileupload.FileItemFactory; 23 import org.apache.commons.io.FileCleaningTracker; 24 25 /** 26 * <p>The default {@link org.apache.commons.fileupload.FileItemFactory} 27 * implementation. This implementation creates 28 * {@link org.apache.commons.fileupload.FileItem} instances which keep their 29 * content either in memory, for smaller items, or in a temporary file on disk, 30 * for larger items. The size threshold, above which content will be stored on 31 * disk, is configurable, as is the directory in which temporary files will be 32 * created.</p> 33 * 34 * <p>If not otherwise configured, the default configuration values are as 35 * follows:</p> 36 * <ul> 37 * <li>Size threshold is 10KB.</li> 38 * <li>Repository is the system default temp directory, as returned by 39 * {@code System.getProperty("java.io.tmpdir")}.</li> 40 * </ul> 41 * <p> 42 * <strong>NOTE</strong>: Files are created in the system default temp directory with 43 * predictable names. This means that a local attacker with write access to that 44 * directory can perform a TOUTOC attack to replace any uploaded file with a 45 * file of the attackers choice. The implications of this will depend on how the 46 * uploaded file is used but could be significant. When using this 47 * implementation in an environment with local, untrusted users, 48 * {@link #setRepository(File)} MUST be used to configure a repository location 49 * that is not publicly writable. In a Servlet container the location identified 50 * by the ServletContext attribute {@code javax.servlet.context.tempdir} 51 * may be used. 52 * </p> 53 * 54 * <p>Temporary files, which are created for file items, should be 55 * deleted later on. The best way to do this is using a 56 * {@link FileCleaningTracker}, which you can set on the 57 * {@link DiskFileItemFactory}. However, if you do use such a tracker, 58 * then you must consider the following: Temporary files are automatically 59 * deleted as soon as they are no longer needed. (More precisely, when the 60 * corresponding instance of {@link java.io.File} is garbage collected.) 61 * This is done by the so-called reaper thread, which is started and stopped 62 * automatically by the {@link FileCleaningTracker} when there are files to be 63 * tracked. 64 * It might make sense to terminate that thread, for example, if 65 * your web application ends. See the section on "Resource cleanup" 66 * in the users guide of commons-fileupload.</p> 67 * 68 * @since FileUpload 1.1 69 */ 70 public class DiskFileItemFactory implements FileItemFactory { 71 72 /** 73 * The default threshold above which uploads will be stored on disk. 74 */ 75 public static final int DEFAULT_SIZE_THRESHOLD = 10240; 76 77 /** 78 * The directory in which uploaded files will be stored, if stored on disk. 79 */ 80 private File repository; 81 82 /** 83 * The threshold above which uploads will be stored on disk. 84 */ 85 private int sizeThreshold = DEFAULT_SIZE_THRESHOLD; 86 87 /** 88 * <p>The instance of {@link FileCleaningTracker}, which is responsible 89 * for deleting temporary files.</p> 90 * <p>May be null, if tracking files is not required.</p> 91 */ 92 private FileCleaningTracker fileCleaningTracker; 93 94 /** 95 * Default content charset to be used when no explicit charset 96 * parameter is provided by the sender. 97 */ 98 private String defaultCharset = DiskFileItem.DEFAULT_CHARSET; 99 100 /** 101 * Constructs an unconfigured instance of this class. The resulting factory 102 * may be configured by calling the appropriate setter methods. 103 */ 104 public DiskFileItemFactory() { 105 this(DEFAULT_SIZE_THRESHOLD, null); 106 } 107 108 /** 109 * Constructs a preconfigured instance of this class. 110 * 111 * @param sizeThreshold The threshold, in bytes, below which items will be 112 * retained in memory and above which they will be 113 * stored as a file. 114 * @param repository The data repository, which is the directory in 115 * which files will be created, should the item size 116 * exceed the threshold. 117 */ 118 public DiskFileItemFactory(final int sizeThreshold, final File repository) { 119 this.sizeThreshold = sizeThreshold; 120 this.repository = repository; 121 } 122 123 /** 124 * Create a new {@link DiskFileItem} 125 * instance from the supplied parameters and the local factory 126 * configuration. 127 * 128 * @param fieldName The name of the form field. 129 * @param contentType The content type of the form field. 130 * @param isFormField {@code true} if this is a plain form field; 131 * {@code false} otherwise. 132 * @param fileName The name of the uploaded file, if any, as supplied 133 * by the browser or other client. 134 * 135 * @return The newly created file item. 136 */ 137 @Override 138 public FileItem createItem(final String fieldName, final String contentType, 139 final boolean isFormField, final String fileName) { 140 final DiskFileItem result = new DiskFileItem(fieldName, contentType, 141 isFormField, fileName, sizeThreshold, repository); 142 result.setDefaultCharset(defaultCharset); 143 final FileCleaningTracker tracker = getFileCleaningTracker(); 144 if (tracker != null) { 145 tracker.track(result.getTempFile(), result); 146 } 147 return result; 148 } 149 150 /** 151 * Gets the default charset for use when no explicit charset 152 * parameter is provided by the sender. 153 * @return the default charset 154 */ 155 public String getDefaultCharset() { 156 return defaultCharset; 157 } 158 159 /** 160 * Gets the tracker, which is responsible for deleting temporary 161 * files. 162 * 163 * @return An instance of {@link FileCleaningTracker}, or null 164 * (default), if temporary files aren't tracked. 165 */ 166 public FileCleaningTracker getFileCleaningTracker() { 167 return fileCleaningTracker; 168 } 169 170 /** 171 * Gets the directory used to temporarily store files that are larger 172 * than the configured size threshold. 173 * 174 * @return The directory in which temporary files will be located. 175 * @see #setRepository(java.io.File) 176 * 177 */ 178 public File getRepository() { 179 return repository; 180 } 181 182 /** 183 * Gets the size threshold beyond which files are written directly to 184 * disk. The default value is 10240 bytes. 185 * 186 * @return The size threshold, in bytes. 187 * @see #setSizeThreshold(int) 188 */ 189 public int getSizeThreshold() { 190 return sizeThreshold; 191 } 192 193 /** 194 * Sets the default charset for use when no explicit charset 195 * parameter is provided by the sender. 196 * 197 * @param charset the default charset 198 */ 199 public void setDefaultCharset(final String charset) { 200 this.defaultCharset = charset; 201 } 202 203 /** 204 * Sets the tracker, which is responsible for deleting temporary 205 * files. 206 * 207 * @param fileCleaningTracker An instance of {@link FileCleaningTracker}, 208 * which will from now on track the created files, or null 209 * (default), to disable tracking. 210 */ 211 public void setFileCleaningTracker(final FileCleaningTracker fileCleaningTracker) { 212 this.fileCleaningTracker = fileCleaningTracker; 213 } 214 215 /** 216 * Sets the directory used to temporarily store files that are larger 217 * than the configured size threshold. 218 * 219 * @param repository The directory in which temporary files will be located. 220 * @see #getRepository() 221 * 222 */ 223 public void setRepository(final File repository) { 224 this.repository = repository; 225 } 226 227 /** 228 * Sets the size threshold beyond which files are written directly to disk. 229 * 230 * @param sizeThreshold The size threshold, in bytes. 231 * @see #getSizeThreshold() 232 * 233 */ 234 public void setSizeThreshold(final int sizeThreshold) { 235 this.sizeThreshold = sizeThreshold; 236 } 237 }