laszlo_post_api/file_upload.jsp at master · mcarlson/laszlo_post_api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
<%@ page import="org.apache.commons.fileupload.*, org.apache.commons.fileupload.servlet.ServletFileUpload, org.apache.commons.fileupload.disk.DiskFileItemFactory, org.apache.commons.io.FilenameUtils, java.util.*, java.io.*, java.lang.Exception, java.util.zip.*" %>
<%!
  protected SortedSet dirsMade;
  static int BUFFERSIZE = 2048;
  // Does this pathname point to a valid target directory? Should be
  // a subdir of the webapp.
  boolean isValidSubdir(String path) {
    try {
        String canonical = (new File(path)).getCanonicalPath();
        String webapp =  (new File((getServletContext().getRealPath(".")))).getCanonicalPath();
      return canonical.startsWith(webapp);
    } catch (IOException e) {
      return false;
    }
  }

  public static final void copyInputStream(InputStream in, OutputStream out) throws IOException {
    byte[] buffer = new byte[BUFFERSIZE];
    int len;

    while((len = in.read(buffer)) >= 0)
      out.write(buffer, 0, len);

    in.close();
    out.close();
  }
%>
<%
// maximum size of zipfile to accept, in bytes
int maxSize = 1024 * 1024 * 5;
// directory to write into, without trailing slash
String basedir = "/my-apps";
// session UID to append, if not passed in 'uid' field
String sessionId = "tmp_" + session.getId();

String path = null;
try {
    // Should be $LPS_HOME
    path = (new File((getServletContext().getRealPath(".")))).getCanonicalPath();
} catch (Exception e){
    out.println("JSP error caught: "+e);
    return;
}

if (ServletFileUpload.isMultipartContent(request)){
  ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory());
  List fileItemsList = servletFileUpload.parseRequest(request);

  String optionalFileName = "";
  String optionalSessionID = "";
  FileItem fileItem = null;

  Iterator it = fileItemsList.iterator();
  while (it.hasNext()){
    FileItem fileItemTemp = (FileItem)it.next();
    if (fileItemTemp.isFormField()){
      if (fileItemTemp.getFieldName().equals("filename")) {
        optionalFileName = fileItemTemp.getString();
      } else if (fileItemTemp.getFieldName().equals("uid")) {
        optionalSessionID = fileItemTemp.getString();
      }
    } else {
      fileItem = fileItemTemp;
    }
  }

  if (! optionalSessionID.trim().equals("")) {
     sessionId = optionalSessionID;
  }

  // Create full path
  path += basedir + "/" + sessionId + "/";
  if (!isValidSubdir(path)) {
      out.println("Invalid path.");
      return;
  }

  // create temp dir
  (new File(path)).mkdir();

  if (fileItem!=null){
    String fileName = fileItem.getName();

    /* Save the uploaded file if its size is between 0 and maxSize, and it's a zip file. */
    if (fileItem.getSize() > 0 && fileItem.getSize() < maxSize && fileItem.getContentType().equals("application/zip")){
      if (optionalFileName.trim().equals("")) {
        fileName = FilenameUtils.getName(fileName);
      } else {
        fileName = optionalFileName;
      }

      if (!isValidSubdir(path + fileName)) {
        out.println("Invalid path.");
        return;
      }

      File saveTo = new File(path + fileName);
      try {
        // write out zip file
        fileItem.write(saveTo);

        // unzip the file
        ZipFile zipFile = new ZipFile(saveTo);

        Enumeration entries = zipFile.entries();
        ZipEntry entry;

        BufferedInputStream zipin = null;
        BufferedOutputStream zipout = null;
        dirsMade = new TreeSet();

        while(entries.hasMoreElements()) {
          entry = (ZipEntry)entries.nextElement();
          String entryname = entry.getName();
          if (!isValidSubdir(path + entryname)) {
            out.println("Invalid path.");
            return;
          }

          if (entryname.startsWith("/")) {
            entryname = entryname.substring(1);
          }
          if (entryname.endsWith("/")) {
            continue;
          }

          int ix = entryname.lastIndexOf('/');
          if (ix > 0) {
            String dirName = path + entryname.substring(0, ix);
            if (!dirsMade.contains(dirName)) {
              File d = new File(dirName);
              if (!(d.exists() && d.isDirectory())) {
                if (!d.mkdirs()) {
                }
                dirsMade.add(dirName);
              }
            }
          }

          //System.out.println("Extracting file: " + entryname);
          zipin = new BufferedInputStream (zipFile.getInputStream(entry));
          FileOutputStream fos = new FileOutputStream(path + entryname);
          zipout = new BufferedOutputStream(fos, BUFFERSIZE);
          copyInputStream(zipin, zipout);
        }

        zipFile.close();
        response.setHeader("X-Path-UID", sessionId);
%>
<%= sessionId %>
<%
      }
      catch (Exception e){
%>
An error occurred.
<%
      }
    }
  }
}
%>