Jake Slack | 03928ae | 2014-05-13 18:41:56 -0700 | [diff] [blame] | 1 | // |
| 2 | // ======================================================================== |
| 3 | // Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd. |
| 4 | // ------------------------------------------------------------------------ |
| 5 | // All rights reserved. This program and the accompanying materials |
| 6 | // are made available under the terms of the Eclipse Public License v1.0 |
| 7 | // and Apache License v2.0 which accompanies this distribution. |
| 8 | // |
| 9 | // The Eclipse Public License is available at |
| 10 | // http://www.eclipse.org/legal/epl-v10.html |
| 11 | // |
| 12 | // The Apache License v2.0 is available at |
| 13 | // http://www.opensource.org/licenses/apache2.0.php |
| 14 | // |
| 15 | // You may elect to redistribute this code under either of these licenses. |
| 16 | // ======================================================================== |
| 17 | // |
| 18 | |
| 19 | package org.eclipse.jetty.servlets; |
| 20 | |
| 21 | import java.io.BufferedInputStream; |
| 22 | import java.io.BufferedOutputStream; |
| 23 | import java.io.ByteArrayOutputStream; |
| 24 | import java.io.File; |
| 25 | import java.io.FileOutputStream; |
| 26 | import java.io.IOException; |
| 27 | import java.io.InputStream; |
| 28 | import java.io.OutputStream; |
| 29 | import java.io.UnsupportedEncodingException; |
| 30 | import java.util.ArrayList; |
| 31 | import java.util.Collection; |
| 32 | import java.util.Collections; |
| 33 | import java.util.Enumeration; |
| 34 | import java.util.HashMap; |
| 35 | import java.util.Iterator; |
| 36 | import java.util.List; |
| 37 | import java.util.Locale; |
| 38 | import java.util.Map; |
| 39 | |
| 40 | import javax.servlet.Filter; |
| 41 | import javax.servlet.FilterChain; |
| 42 | import javax.servlet.FilterConfig; |
| 43 | import javax.servlet.MultipartConfigElement; |
| 44 | import javax.servlet.ServletContext; |
| 45 | import javax.servlet.ServletException; |
| 46 | import javax.servlet.ServletRequest; |
| 47 | import javax.servlet.ServletResponse; |
| 48 | import javax.servlet.http.HttpServletRequest; |
| 49 | import javax.servlet.http.HttpServletRequestWrapper; |
| 50 | import javax.servlet.http.Part; |
| 51 | |
| 52 | import org.eclipse.jetty.util.IO; |
| 53 | import org.eclipse.jetty.http.MimeTypes; |
| 54 | import org.eclipse.jetty.io.ByteArrayBuffer; |
| 55 | import org.eclipse.jetty.util.LazyList; |
| 56 | import org.eclipse.jetty.util.MultiMap; |
| 57 | import org.eclipse.jetty.util.MultiPartInputStream; |
| 58 | import org.eclipse.jetty.util.QuotedStringTokenizer; |
| 59 | import org.eclipse.jetty.util.StringUtil; |
| 60 | import org.eclipse.jetty.util.TypeUtil; |
| 61 | import org.eclipse.jetty.util.log.Log; |
| 62 | import org.eclipse.jetty.util.log.Logger; |
| 63 | |
| 64 | /* ------------------------------------------------------------ */ |
| 65 | /** |
| 66 | * Multipart Form Data Filter. |
| 67 | * <p> |
| 68 | * This class decodes the multipart/form-data stream sent by a HTML form that uses a file input |
| 69 | * item. Any files sent are stored to a temporary file and a File object added to the request |
| 70 | * as an attribute. All other values are made available via the normal getParameter API and |
| 71 | * the setCharacterEncoding mechanism is respected when converting bytes to Strings. |
| 72 | * <p> |
| 73 | * If the init parameter "delete" is set to "true", any files created will be deleted when the |
| 74 | * current request returns. |
| 75 | * <p> |
| 76 | * The init parameter maxFormKeys sets the maximum number of keys that may be present in a |
| 77 | * form (default set by system property org.eclipse.jetty.server.Request.maxFormKeys or 1000) to protect |
| 78 | * against DOS attacks by bad hash keys. |
| 79 | * <p> |
| 80 | * The init parameter deleteFiles controls if uploaded files are automatically deleted after the request |
| 81 | * completes. |
| 82 | * |
| 83 | * Use init parameter "maxFileSize" to set the max size file that can be uploaded. |
| 84 | * |
| 85 | * Use init parameter "maxRequestSize" to limit the size of the multipart request. |
| 86 | * |
| 87 | */ |
| 88 | public class MultiPartFilter implements Filter |
| 89 | { |
| 90 | private static final Logger LOG = Log.getLogger(MultiPartFilter.class); |
| 91 | public final static String CONTENT_TYPE_SUFFIX=".org.eclipse.jetty.servlet.contentType"; |
| 92 | private final static String MULTIPART = "org.eclipse.jetty.servlet.MultiPartFile.multiPartInputStream"; |
| 93 | private File tempdir; |
| 94 | private boolean _deleteFiles; |
| 95 | private ServletContext _context; |
| 96 | private int _fileOutputBuffer = 0; |
| 97 | private long _maxFileSize = -1L; |
| 98 | private long _maxRequestSize = -1L; |
| 99 | private int _maxFormKeys = Integer.getInteger("org.eclipse.jetty.server.Request.maxFormKeys",1000).intValue(); |
| 100 | |
| 101 | /* ------------------------------------------------------------------------------- */ |
| 102 | /** |
| 103 | * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) |
| 104 | */ |
| 105 | public void init(FilterConfig filterConfig) throws ServletException |
| 106 | { |
| 107 | tempdir=(File)filterConfig.getServletContext().getAttribute("javax.servlet.context.tempdir"); |
| 108 | _deleteFiles="true".equals(filterConfig.getInitParameter("deleteFiles")); |
| 109 | String fileOutputBuffer = filterConfig.getInitParameter("fileOutputBuffer"); |
| 110 | if(fileOutputBuffer!=null) |
| 111 | _fileOutputBuffer = Integer.parseInt(fileOutputBuffer); |
| 112 | String maxFileSize = filterConfig.getInitParameter("maxFileSize"); |
| 113 | if (maxFileSize != null) |
| 114 | _maxFileSize = Long.parseLong(maxFileSize.trim()); |
| 115 | String maxRequestSize = filterConfig.getInitParameter("maxRequestSize"); |
| 116 | if (maxRequestSize != null) |
| 117 | _maxRequestSize = Long.parseLong(maxRequestSize.trim()); |
| 118 | |
| 119 | _context=filterConfig.getServletContext(); |
| 120 | String mfks = filterConfig.getInitParameter("maxFormKeys"); |
| 121 | if (mfks!=null) |
| 122 | _maxFormKeys=Integer.parseInt(mfks); |
| 123 | } |
| 124 | |
| 125 | /* ------------------------------------------------------------------------------- */ |
| 126 | /** |
| 127 | * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, |
| 128 | * javax.servlet.ServletResponse, javax.servlet.FilterChain) |
| 129 | */ |
| 130 | public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain) |
| 131 | throws IOException, ServletException |
| 132 | { |
| 133 | HttpServletRequest srequest=(HttpServletRequest)request; |
| 134 | if(srequest.getContentType()==null||!srequest.getContentType().startsWith("multipart/form-data")) |
| 135 | { |
| 136 | chain.doFilter(request,response); |
| 137 | return; |
| 138 | } |
| 139 | |
| 140 | InputStream in = new BufferedInputStream(request.getInputStream()); |
| 141 | String content_type=srequest.getContentType(); |
| 142 | |
| 143 | //Get current parameters so we can merge into them |
| 144 | MultiMap<String> params = new MultiMap<String>(); |
| 145 | for (Iterator<Map.Entry<String,String[]>> i = request.getParameterMap().entrySet().iterator();i.hasNext();) |
| 146 | { |
| 147 | Map.Entry<String,String[]> entry=i.next(); |
| 148 | Object value=entry.getValue(); |
| 149 | if (value instanceof String[]) |
| 150 | params.addValues(entry.getKey(),(String[])value); |
| 151 | else |
| 152 | params.add(entry.getKey(),value); |
| 153 | } |
| 154 | |
| 155 | MultipartConfigElement config = new MultipartConfigElement(tempdir.getCanonicalPath(), _maxFileSize, _maxRequestSize, _fileOutputBuffer); |
| 156 | MultiPartInputStream mpis = new MultiPartInputStream(in, content_type, config, tempdir); |
| 157 | mpis.setDeleteOnExit(_deleteFiles); |
| 158 | request.setAttribute(MULTIPART, mpis); |
| 159 | |
| 160 | try |
| 161 | { |
| 162 | Collection<Part> parts = mpis.getParts(); |
| 163 | if (parts != null) |
| 164 | { |
| 165 | Iterator<Part> itor = parts.iterator(); |
| 166 | while (itor.hasNext() && params.size() < _maxFormKeys) |
| 167 | { |
| 168 | Part p = itor.next(); |
| 169 | MultiPartInputStream.MultiPart mp = (MultiPartInputStream.MultiPart)p; |
| 170 | if (mp.getFile() != null) |
| 171 | { |
| 172 | request.setAttribute(mp.getName(),mp.getFile()); |
| 173 | if (mp.getContentDispositionFilename() != null) |
| 174 | { |
| 175 | params.add(mp.getName(), mp.getContentDispositionFilename()); |
| 176 | if (mp.getContentType() != null) |
| 177 | params.add(mp.getName()+CONTENT_TYPE_SUFFIX, mp.getContentType()); |
| 178 | } |
| 179 | } |
| 180 | else |
| 181 | { |
| 182 | ByteArrayOutputStream bytes = new ByteArrayOutputStream(); |
| 183 | IO.copy(p.getInputStream(), bytes); |
| 184 | params.add(p.getName(), bytes.toByteArray()); |
| 185 | if (p.getContentType() != null) |
| 186 | params.add(p.getName()+CONTENT_TYPE_SUFFIX, p.getContentType()); |
| 187 | } |
| 188 | } |
| 189 | } |
| 190 | |
| 191 | // handle request |
| 192 | chain.doFilter(new Wrapper(srequest,params),response); |
| 193 | } |
| 194 | finally |
| 195 | { |
| 196 | deleteFiles(request); |
| 197 | } |
| 198 | } |
| 199 | |
| 200 | |
| 201 | /* ------------------------------------------------------------ */ |
| 202 | private void deleteFiles(ServletRequest request) |
| 203 | { |
| 204 | if (!_deleteFiles) |
| 205 | return; |
| 206 | |
| 207 | MultiPartInputStream mpis = (MultiPartInputStream)request.getAttribute(MULTIPART); |
| 208 | if (mpis != null) |
| 209 | { |
| 210 | try |
| 211 | { |
| 212 | mpis.deleteParts(); |
| 213 | } |
| 214 | catch (Exception e) |
| 215 | { |
| 216 | _context.log("Error deleting multipart tmp files", e); |
| 217 | } |
| 218 | } |
| 219 | request.removeAttribute(MULTIPART); |
| 220 | } |
| 221 | |
| 222 | |
| 223 | /* ------------------------------------------------------------------------------- */ |
| 224 | /** |
| 225 | * @see javax.servlet.Filter#destroy() |
| 226 | */ |
| 227 | public void destroy() |
| 228 | { |
| 229 | } |
| 230 | |
| 231 | /* ------------------------------------------------------------------------------- */ |
| 232 | /* ------------------------------------------------------------------------------- */ |
| 233 | private static class Wrapper extends HttpServletRequestWrapper |
| 234 | { |
| 235 | String _encoding=StringUtil.__UTF8; |
| 236 | MultiMap _params; |
| 237 | |
| 238 | /* ------------------------------------------------------------------------------- */ |
| 239 | /** Constructor. |
| 240 | * @param request |
| 241 | */ |
| 242 | public Wrapper(HttpServletRequest request, MultiMap map) |
| 243 | { |
| 244 | super(request); |
| 245 | this._params=map; |
| 246 | } |
| 247 | |
| 248 | /* ------------------------------------------------------------------------------- */ |
| 249 | /** |
| 250 | * @see javax.servlet.ServletRequest#getContentLength() |
| 251 | */ |
| 252 | @Override |
| 253 | public int getContentLength() |
| 254 | { |
| 255 | return 0; |
| 256 | } |
| 257 | |
| 258 | /* ------------------------------------------------------------------------------- */ |
| 259 | /** |
| 260 | * @see javax.servlet.ServletRequest#getParameter(java.lang.String) |
| 261 | */ |
| 262 | @Override |
| 263 | public String getParameter(String name) |
| 264 | { |
| 265 | Object o=_params.get(name); |
| 266 | if (!(o instanceof byte[]) && LazyList.size(o)>0) |
| 267 | o=LazyList.get(o,0); |
| 268 | |
| 269 | if (o instanceof byte[]) |
| 270 | { |
| 271 | try |
| 272 | { |
| 273 | return getParameterBytesAsString(name, (byte[])o); |
| 274 | } |
| 275 | catch(Exception e) |
| 276 | { |
| 277 | LOG.warn(e); |
| 278 | } |
| 279 | } |
| 280 | else if (o!=null) |
| 281 | return String.valueOf(o); |
| 282 | return null; |
| 283 | } |
| 284 | |
| 285 | /* ------------------------------------------------------------------------------- */ |
| 286 | /** |
| 287 | * @see javax.servlet.ServletRequest#getParameterMap() |
| 288 | */ |
| 289 | @Override |
| 290 | public Map getParameterMap() |
| 291 | { |
| 292 | Map<String, String[]> cmap = new HashMap<String,String[]>(); |
| 293 | |
| 294 | for ( Object key : _params.keySet() ) |
| 295 | { |
| 296 | cmap.put((String)key,getParameterValues((String)key)); |
| 297 | } |
| 298 | |
| 299 | return Collections.unmodifiableMap(cmap); |
| 300 | } |
| 301 | |
| 302 | /* ------------------------------------------------------------------------------- */ |
| 303 | /** |
| 304 | * @see javax.servlet.ServletRequest#getParameterNames() |
| 305 | */ |
| 306 | @Override |
| 307 | public Enumeration getParameterNames() |
| 308 | { |
| 309 | return Collections.enumeration(_params.keySet()); |
| 310 | } |
| 311 | |
| 312 | /* ------------------------------------------------------------------------------- */ |
| 313 | /** |
| 314 | * @see javax.servlet.ServletRequest#getParameterValues(java.lang.String) |
| 315 | */ |
| 316 | @Override |
| 317 | public String[] getParameterValues(String name) |
| 318 | { |
| 319 | List l=_params.getValues(name); |
| 320 | if (l==null || l.size()==0) |
| 321 | return new String[0]; |
| 322 | String[] v = new String[l.size()]; |
| 323 | for (int i=0;i<l.size();i++) |
| 324 | { |
| 325 | Object o=l.get(i); |
| 326 | if (o instanceof byte[]) |
| 327 | { |
| 328 | try |
| 329 | { |
| 330 | v[i]=getParameterBytesAsString(name, (byte[])o); |
| 331 | } |
| 332 | catch(Exception e) |
| 333 | { |
| 334 | throw new RuntimeException(e); |
| 335 | } |
| 336 | } |
| 337 | else if (o instanceof String) |
| 338 | v[i]=(String)o; |
| 339 | } |
| 340 | return v; |
| 341 | } |
| 342 | |
| 343 | /* ------------------------------------------------------------------------------- */ |
| 344 | /** |
| 345 | * @see javax.servlet.ServletRequest#setCharacterEncoding(java.lang.String) |
| 346 | */ |
| 347 | @Override |
| 348 | public void setCharacterEncoding(String enc) |
| 349 | throws UnsupportedEncodingException |
| 350 | { |
| 351 | _encoding=enc; |
| 352 | } |
| 353 | |
| 354 | |
| 355 | /* ------------------------------------------------------------------------------- */ |
| 356 | private String getParameterBytesAsString (String name, byte[] bytes) |
| 357 | throws UnsupportedEncodingException |
| 358 | { |
| 359 | //check if there is a specific encoding for the parameter |
| 360 | Object ct = _params.get(name+CONTENT_TYPE_SUFFIX); |
| 361 | //use default if not |
| 362 | String contentType = _encoding; |
| 363 | if (ct != null) |
| 364 | { |
| 365 | String tmp = MimeTypes.getCharsetFromContentType(new ByteArrayBuffer((String)ct)); |
| 366 | contentType = (tmp == null?_encoding:tmp); |
| 367 | } |
| 368 | |
| 369 | return new String(bytes,contentType); |
| 370 | } |
| 371 | } |
| 372 | } |