Skip to content

Commit 19fafad

Browse files
ndepomereundepomereu
authored
Merge pull request #32 from granadacoder/feature/version-uplift-and-code-chgs-2024-oct-a
Version uplifts for vulnerabilities. Fix for :no longer exists : org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload.
2 parents 402599f + d3cd132 commit 19fafad

File tree

3 files changed

+54
-48
lines changed

3 files changed

+54
-48
lines changed

pom.xml

+13-5
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,7 @@
151151
<dependency>
152152
<groupId>commons-io</groupId>
153153
<artifactId>commons-io</artifactId>
154-
<version>2.14.0</version>
154+
<version>2.17.0</version>
155155
</dependency>
156156
<dependency>
157157
<groupId>com.jcraft</groupId>
@@ -167,7 +167,7 @@
167167
<dependency>
168168
<groupId>com.auth0</groupId>
169169
<artifactId>java-jwt</artifactId>
170-
<version>4.2.1</version>
170+
<version>4.4.0</version>
171171
</dependency>
172172

173173
<dependency>
@@ -246,17 +246,25 @@
246246
<dependency>
247247
<groupId>org.apache.tomcat.embed</groupId>
248248
<artifactId>tomcat-embed-core</artifactId>
249-
<version>9.0.90</version>
249+
<version>9.0.95</version>
250250
</dependency>
251251

252252
<dependency>
253253
<groupId>org.apache.tomcat</groupId>
254254
<artifactId>tomcat-jdbc</artifactId>
255-
<version>9.0.71</version>
255+
<version>9.0.95</version>
256256
</dependency>
257257

258258

259-
<!-- API, java.xml.bind module. Required for modern versions of MS SQL Server Drivers -->
259+
<dependency>
260+
<groupId>org.apache.commons</groupId>
261+
<artifactId>commons-fileupload2-javax</artifactId>
262+
<version>2.0.0-M2</version>
263+
</dependency>
264+
265+
266+
267+
<!-- API, java.xml.bind module. Required for modern versions of MS SQL Server Drivers -->
260268
<dependency>
261269
<groupId>jakarta.xml.bind</groupId>
262270
<artifactId>jakarta.xml.bind-api</artifactId>

src/main/java/org/kawanfw/sql/api/server/blob/DefaultBlobUploadConfigurator.java

+24-23
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,19 @@
1111
*/
1212
package org.kawanfw.sql.api.server.blob;
1313

14+
//see https://commons.apache.org/proper/commons-fileupload/migration.html and https://stackoverflow.com/a/79047694
15+
import org.apache.commons.fileupload2.core.DiskFileItemFactory;
16+
import org.apache.commons.fileupload2.core.FileItemInput;
17+
import org.apache.commons.fileupload2.core.FileItemInputIterator;
18+
import org.apache.commons.fileupload2.javax.JavaxServletFileUpload;
19+
import org.apache.commons.io.FileUtils;
20+
import org.apache.commons.io.IOUtils;
21+
import org.apache.commons.lang3.SystemUtils;
22+
import org.kawanfw.sql.util.FrameworkDebug;
23+
import org.kawanfw.sql.util.FrameworkFileUtil;
24+
25+
import javax.servlet.http.HttpServletRequest;
26+
import javax.servlet.http.HttpServletResponse;
1427
import java.io.File;
1528
import java.io.IOException;
1629
import java.io.InputStream;
@@ -21,20 +34,6 @@
2134
import java.nio.file.StandardCopyOption;
2235
import java.util.Date;
2336

24-
import javax.servlet.http.HttpServletRequest;
25-
import javax.servlet.http.HttpServletResponse;
26-
27-
import org.apache.commons.io.FileUtils;
28-
import org.apache.commons.lang3.SystemUtils;
29-
import org.apache.tomcat.util.http.fileupload.FileItemIterator;
30-
import org.apache.tomcat.util.http.fileupload.FileItemStream;
31-
import org.apache.tomcat.util.http.fileupload.FileUploadException;
32-
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
33-
import org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload;
34-
import org.apache.tomcat.util.http.fileupload.util.Streams;
35-
import org.kawanfw.sql.util.FrameworkDebug;
36-
import org.kawanfw.sql.util.FrameworkFileUtil;
37-
3837
/**
3938
*
4039
* Class that allows uploading Blob/Clobs. Default implementation. <br>
@@ -57,15 +56,15 @@ public class DefaultBlobUploadConfigurator implements BlobUploadConfigurator {
5756
*/
5857
@Override
5958
public void upload(HttpServletRequest request, HttpServletResponse response, File blobDirectory, long maxBlobLength)
60-
throws IOException, FileUploadException {
59+
throws IOException {
6160

6261
debug("in upload()");
6362

6463
response.setContentType("text/html");
6564
// Prepare the response
6665

6766
// Check that we have a file upload request
68-
boolean isMultipart = ServletFileUpload.isMultipartContent(request);
67+
boolean isMultipart = JavaxServletFileUpload.isMultipartContent(request);
6968
debug("isMultipart: " + isMultipart);
7069

7170
if (!isMultipart) {
@@ -78,12 +77,14 @@ public void upload(HttpServletRequest request, HttpServletResponse response, Fil
7877
debug("tempRepository: " + tempRepository);
7978

8079
// Create a factory for disk-based file items
81-
DiskFileItemFactory factory = new DiskFileItemFactory();
82-
factory.setRepository(tempRepository);
80+
//DiskFileItemFactory factory = new DiskFileItemFactory();
81+
//factory.setRepository(tempRepository);
82+
DiskFileItemFactory factory =
83+
new DiskFileItemFactory.Builder().setPath(tempRepository.getPath()).get();
8384

8485
// Create a new file upload handler using the factory
8586
// that define the secure temp dir
86-
ServletFileUpload upload = new ServletFileUpload(factory);
87+
JavaxServletFileUpload upload = new JavaxServletFileUpload(factory);
8788

8889
debug("maxBlobLength: " + maxBlobLength);
8990
if (DEBUG) {
@@ -99,22 +100,22 @@ public void upload(HttpServletRequest request, HttpServletResponse response, Fil
99100
}
100101

101102
// Parse the request
102-
FileItemIterator iter = upload.getItemIterator(request);
103+
FileItemInputIterator iter = upload.getItemIterator(request);
103104

104105
String blobId = null;
105106
// Parse the request
106107
while (iter.hasNext()) {
107-
FileItemStream item = iter.next();
108+
FileItemInput item = iter.next();
108109
String name = item.getFieldName();
109110
debug("name: " + name);
110111

111112
// The input Stream for the File
112113

113-
try (InputStream inputstream = item.openStream()) {
114+
try (InputStream inputstream = item.getInputStream()) {
114115

115116
if (item.isFormField()) {
116117
if (name.equals("blob_id")) {
117-
blobId = Streams.asString(inputstream);
118+
blobId = IOUtils.toString(inputstream, StandardCharsets.UTF_8);
118119
debug("blob_id: " + blobId);
119120
}
120121
} else {

src/main/java/org/kawanfw/sql/servlet/ServerSqlDispatch.java

+17-20
Original file line numberDiff line numberDiff line change
@@ -11,22 +11,9 @@
1111
*/
1212
package org.kawanfw.sql.servlet;
1313

14-
import java.io.FileNotFoundException;
15-
import java.io.IOException;
16-
import java.io.OutputStream;
17-
import java.sql.Connection;
18-
import java.sql.DatabaseMetaData;
19-
import java.sql.SQLException;
20-
import java.util.Date;
21-
import java.util.Enumeration;
22-
import java.util.Set;
23-
24-
import javax.servlet.http.HttpServletRequest;
25-
import javax.servlet.http.HttpServletResponse;
26-
14+
//see https://commons.apache.org/proper/commons-fileupload/migration.html and https://stackoverflow.com/a/79047694
15+
import org.apache.commons.fileupload2.javax.JavaxServletFileUpload;
2716
import org.apache.commons.lang3.exception.ExceptionUtils;
28-
import org.apache.tomcat.util.http.fileupload.FileUploadException;
29-
import org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload;
3017
import org.kawanfw.sql.api.server.DatabaseConfigurator;
3118
import org.kawanfw.sql.api.server.firewall.SqlFirewallManager;
3219
import org.kawanfw.sql.metadata.dto.DatabaseInfoDto;
@@ -51,6 +38,18 @@
5138
import org.kawanfw.sql.util.FrameworkDebug;
5239
import org.kawanfw.sql.version.VersionWrapper;
5340

41+
import javax.servlet.http.HttpServletRequest;
42+
import javax.servlet.http.HttpServletResponse;
43+
import java.io.FileNotFoundException;
44+
import java.io.IOException;
45+
import java.io.OutputStream;
46+
import java.sql.Connection;
47+
import java.sql.DatabaseMetaData;
48+
import java.sql.SQLException;
49+
import java.util.Date;
50+
import java.util.Enumeration;
51+
import java.util.Set;
52+
5453
/**
5554
* @author Nicolas de Pomereu
5655
*
@@ -74,10 +73,9 @@ public class ServerSqlDispatch {
7473
* @param out
7574
* @throws IOException if any IOException occurs
7675
* @throws SQLException
77-
* @throws FileUploadException
7876
*/
7977
public void executeRequestInTryCatch(HttpServletRequest request, HttpServletResponse response, OutputStream out)
80-
throws IOException, SQLException, FileUploadException {
78+
throws IOException, SQLException {
8179

8280
if (doBlobUpload(request, response, out)) {
8381
return;
@@ -517,15 +515,14 @@ private void treatCloseAction(HttpServletResponse response, OutputStream out, St
517515
* @param response
518516
* @param out
519517
* @throws IOException
520-
* @throws FileUploadException
521518
* @throws SQLException
522519
*/
523520
private boolean doBlobUpload(HttpServletRequest request, HttpServletResponse response, OutputStream out)
524-
throws IOException, FileUploadException, SQLException {
521+
throws IOException, SQLException {
525522
// Immediate catch if we are asking a file upload, because
526523
// parameters are in unknown sequence.
527524
// We know it's a upload action if it's mime Multipart
528-
if (ServletFileUpload.isMultipartContent(request)) {
525+
if (JavaxServletFileUpload.isMultipartContent(request)) {
529526
BlobUploader blobUploader = new BlobUploader(request, response, out);
530527
blobUploader.blobUpload();
531528
return true;

0 commit comments

Comments
 (0)