diff options
author | Martin Stockhammer <martin_s@apache.org> | 2019-03-03 00:10:49 +0100 |
---|---|---|
committer | Martin Stockhammer <martin_s@apache.org> | 2019-03-03 00:10:49 +0100 |
commit | cc0d8ad0b525e641855319812877fdc6c8cd327c (patch) | |
tree | 3632760dce6982b3dbfdac46357c649a848662f8 | |
parent | be4dab11592ec402fb4349f84fe7c535ce889abc (diff) | |
download | archiva-cc0d8ad0b525e641855319812877fdc6c8cd327c.tar.gz archiva-cc0d8ad0b525e641855319812877fdc6c8cd327c.zip |
Adding additional verifications for upload
-rw-r--r-- | archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java index 4fd8f6808..71199866c 100644 --- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java +++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java @@ -69,6 +69,7 @@ import java.io.File; import java.io.FileOutputStream; import java.io.FileWriter; import java.io.IOException; +import java.net.URLDecoder; import java.nio.file.*; import java.text.DateFormat; import java.text.SimpleDateFormat; @@ -115,7 +116,8 @@ public class DefaultFileUploadService throws IOException { Attachment attachment = multipartBody.getAttachment( attachmentId ); - return attachment == null ? "" : IOUtils.toString( attachment.getDataHandler().getInputStream() ); + return attachment == null ? "" : + StringUtils.trim(URLDecoder.decode(IOUtils.toString( attachment.getDataHandler().getInputStream() ), "UTF-8")); } @Override @@ -128,9 +130,26 @@ public class DefaultFileUploadService String classifier = getStringValue( multipartBody, "classifier" ); String packaging = getStringValue( multipartBody, "packaging" ); + + checkParamChars( "classifier", classifier ); + checkParamChars( "packaging", packaging); + // skygo: http header form pomFile was once sending 1 for true and void for false // leading to permanent false value for pomFile if using toBoolean(); use , "1", "" - boolean pomFile = BooleanUtils.toBoolean( getStringValue( multipartBody, "pomFile" ) ); + + boolean pomFile = false; + try + { + pomFile = BooleanUtils.toBoolean( getStringValue( multipartBody, "pomFile" ) ); + } + catch ( IllegalArgumentException ex ) + { + ArchivaRestServiceException e = new ArchivaRestServiceException("Bad value for boolean pomFile field.", null); + e.setHttpErrorCode(422); + e.setFieldName( "pomFile" ); + e.setErrorKey("fileupload.malformed.pomFile"); + throw e; + } Attachment file = multipartBody.getAttachment( "files[]" ); @@ -141,7 +160,7 @@ public class DefaultFileUploadService ArchivaRestServiceException e = new ArchivaRestServiceException("Bad filename in upload content: " + fileName + " - File traversal chars (..|/) are not allowed" , null); e.setHttpErrorCode(422); - e.setErrorKey("error.upload.malformed.filename"); + e.setErrorKey("fileupload.malformed.filename"); throw e; } @@ -249,7 +268,7 @@ public class DefaultFileUploadService if (!hasValidChars(value)) { ArchivaRestServiceException e = new ArchivaRestServiceException("Bad characters in " + param, null); e.setHttpErrorCode(422); - e.setErrorKey("error.upload.malformed.param." + param); + e.setErrorKey("fileupload.malformed.param"); e.setFieldName(param); throw e; } @@ -269,8 +288,10 @@ public class DefaultFileUploadService checkParamChars("repositoryId", repositoryId); checkParamChars("groupId", groupId); checkParamChars("artifactId", artifactId); + checkParamChars( "version", version); checkParamChars("packaging", packaging); + List<FileMetadata> fileMetadatas = getSessionFilesList(); if ( fileMetadatas == null || fileMetadatas.isEmpty() ) { |