1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17 package org.apache.commons.fileupload.disk;
18
19 import java.io.File;
20
21 import org.apache.commons.fileupload.FileItem;
22 import org.apache.commons.fileupload.FileItemFactory;
23 import org.apache.commons.io.FileCleaningTracker;
24
25 /**
26 * <p>The default {@link org.apache.commons.fileupload.FileItemFactory}
27 * implementation. This implementation creates
28 * {@link org.apache.commons.fileupload.FileItem} instances which keep their
29 * content either in memory, for smaller items, or in a temporary file on disk,
30 * for larger items. The size threshold, above which content will be stored on
31 * disk, is configurable, as is the directory in which temporary files will be
32 * created.</p>
33 *
34 * <p>If not otherwise configured, the default configuration values are as
35 * follows:</p>
36 * <ul>
37 * <li>Size threshold is 10KB.</li>
38 * <li>Repository is the system default temp directory, as returned by
39 * <code>System.getProperty("java.io.tmpdir")</code>.</li>
40 * </ul>
41 * <p>
42 * <b>NOTE</b>: Files are created in the system default temp directory with
43 * predictable names. This means that a local attacker with write access to that
44 * directory can perform a TOUTOC attack to replace any uploaded file with a
45 * file of the attackers choice. The implications of this will depend on how the
46 * uploaded file is used but could be significant. When using this
47 * implementation in an environment with local, untrusted users,
48 * {@link #setRepository(File)} MUST be used to configure a repository location
49 * that is not publicly writable. In a Servlet container the location identified
50 * by the ServletContext attribute <code>javax.servlet.context.tempdir</code>
51 * may be used.
52 * </p>
53 *
54 * <p>Temporary files, which are created for file items, should be
55 * deleted later on. The best way to do this is using a
56 * {@link FileCleaningTracker}, which you can set on the
57 * {@link DiskFileItemFactory}. However, if you do use such a tracker,
58 * then you must consider the following: Temporary files are automatically
59 * deleted as soon as they are no longer needed. (More precisely, when the
60 * corresponding instance of {@link java.io.File} is garbage collected.)
61 * This is done by the so-called reaper thread, which is started and stopped
62 * automatically by the {@link FileCleaningTracker} when there are files to be
63 * tracked.
64 * It might make sense to terminate that thread, for example, if
65 * your web application ends. See the section on "Resource cleanup"
66 * in the users guide of commons-fileupload.</p>
67 *
68 * @since FileUpload 1.1
69 */
70 public class DiskFileItemFactory implements FileItemFactory {
71
72 // ----------------------------------------------------- Manifest constants
73
74 /**
75 * The default threshold above which uploads will be stored on disk.
76 */
77 public static final int DEFAULT_SIZE_THRESHOLD = 10240;
78
79 // ----------------------------------------------------- Instance Variables
80
81 /**
82 * The directory in which uploaded files will be stored, if stored on disk.
83 */
84 private File repository;
85
86 /**
87 * The threshold above which uploads will be stored on disk.
88 */
89 private int sizeThreshold = DEFAULT_SIZE_THRESHOLD;
90
91 /**
92 * <p>The instance of {@link FileCleaningTracker}, which is responsible
93 * for deleting temporary files.</p>
94 * <p>May be null, if tracking files is not required.</p>
95 */
96 private FileCleaningTracker fileCleaningTracker;
97
98 /**
99 * Default content charset to be used when no explicit charset
100 * parameter is provided by the sender.
101 */
102 private String defaultCharset = DiskFileItem.DEFAULT_CHARSET;
103
104 // ----------------------------------------------------------- Constructors
105
106 /**
107 * Constructs an unconfigured instance of this class. The resulting factory
108 * may be configured by calling the appropriate setter methods.
109 */
110 public DiskFileItemFactory() {
111 this(DEFAULT_SIZE_THRESHOLD, null);
112 }
113
114 /**
115 * Constructs a preconfigured instance of this class.
116 *
117 * @param sizeThreshold The threshold, in bytes, below which items will be
118 * retained in memory and above which they will be
119 * stored as a file.
120 * @param repository The data repository, which is the directory in
121 * which files will be created, should the item size
122 * exceed the threshold.
123 */
124 public DiskFileItemFactory(int sizeThreshold, File repository) {
125 this.sizeThreshold = sizeThreshold;
126 this.repository = repository;
127 }
128
129 // ------------------------------------------------------------- Properties
130
131 /**
132 * Returns the directory used to temporarily store files that are larger
133 * than the configured size threshold.
134 *
135 * @return The directory in which temporary files will be located.
136 *
137 * @see #setRepository(java.io.File)
138 *
139 */
140 public File getRepository() {
141 return repository;
142 }
143
144 /**
145 * Sets the directory used to temporarily store files that are larger
146 * than the configured size threshold.
147 *
148 * @param repository The directory in which temporary files will be located.
149 *
150 * @see #getRepository()
151 *
152 */
153 public void setRepository(File repository) {
154 this.repository = repository;
155 }
156
157 /**
158 * Returns the size threshold beyond which files are written directly to
159 * disk. The default value is 10240 bytes.
160 *
161 * @return The size threshold, in bytes.
162 *
163 * @see #setSizeThreshold(int)
164 */
165 public int getSizeThreshold() {
166 return sizeThreshold;
167 }
168
169 /**
170 * Sets the size threshold beyond which files are written directly to disk.
171 *
172 * @param sizeThreshold The size threshold, in bytes.
173 *
174 * @see #getSizeThreshold()
175 *
176 */
177 public void setSizeThreshold(int sizeThreshold) {
178 this.sizeThreshold = sizeThreshold;
179 }
180
181 // --------------------------------------------------------- Public Methods
182
183 /**
184 * Create a new {@link org.apache.commons.fileupload.disk.DiskFileItem}
185 * instance from the supplied parameters and the local factory
186 * configuration.
187 *
188 * @param fieldName The name of the form field.
189 * @param contentType The content type of the form field.
190 * @param isFormField <code>true</code> if this is a plain form field;
191 * <code>false</code> otherwise.
192 * @param fileName The name of the uploaded file, if any, as supplied
193 * by the browser or other client.
194 *
195 * @return The newly created file item.
196 */
197 @Override
198 public FileItem createItem(String fieldName, String contentType,
199 boolean isFormField, String fileName) {
200 DiskFileItem result = new DiskFileItem(fieldName, contentType,
201 isFormField, fileName, sizeThreshold, repository);
202 result.setDefaultCharset(defaultCharset);
203 FileCleaningTracker tracker = getFileCleaningTracker();
204 if (tracker != null) {
205 tracker.track(result.getTempFile(), result);
206 }
207 return result;
208 }
209
210 /**
211 * Returns the tracker, which is responsible for deleting temporary
212 * files.
213 *
214 * @return An instance of {@link FileCleaningTracker}, or null
215 * (default), if temporary files aren't tracked.
216 */
217 public FileCleaningTracker getFileCleaningTracker() {
218 return fileCleaningTracker;
219 }
220
221 /**
222 * Sets the tracker, which is responsible for deleting temporary
223 * files.
224 *
225 * @param pTracker An instance of {@link FileCleaningTracker},
226 * which will from now on track the created files, or null
227 * (default), to disable tracking.
228 */
229 public void setFileCleaningTracker(FileCleaningTracker pTracker) {
230 fileCleaningTracker = pTracker;
231 }
232
233 /**
234 * Returns the default charset for use when no explicit charset
235 * parameter is provided by the sender.
236 * @return the default charset
237 */
238 public String getDefaultCharset() {
239 return defaultCharset;
240 }
241
242 /**
243 * Sets the default charset for use when no explicit charset
244 * parameter is provided by the sender.
245 * @param pCharset the default charset
246 */
247 public void setDefaultCharset(String pCharset) {
248 defaultCharset = pCharset;
249 }
250 }