[jbossweb-commits] JBossWeb SVN: r2271 - in branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload: disk and 1 other directory.

Tue Oct 1 06:31:16 EDT 2013

Author: mmusaji
Date: 2013-10-01 06:31:15 -0400 (Tue, 01 Oct 2013)
New Revision: 2271

Modified:
   branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/FileItem.java
   branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
Log:
Merged BZ-968578 and BZ-974813 (CVE-2013-2185)

Modified: branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/FileItem.java
===================================================================

--- branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/FileItem.java	2013-10-01 09:56:17 UTC (rev 2270)
+++ branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/FileItem.java	2013-10-01 10:31:15 UTC (rev 2271)
@@ -20,7 +20,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
 
 /**
@@ -50,7 +49,7 @@
  *
  * @version $Id: FileItem.java 1533 2010-08-18 10:01:08Z remy.maucherat at jboss.com $
  */
-public interface FileItem extends Serializable {
+public interface FileItem extends FileItemHeadersSupport {
 
 
     // ------------------------------- Methods from javax.activation.DataSource

Modified: branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
===================================================================
--- branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java	2013-10-01 09:56:17 UTC (rev 2270)
+++ branches/JBOSSWEB_7_2_0_FINAL_BZ-1013996/src/main/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java	2013-10-01 10:31:15 UTC (rev 2271)
@@ -26,8 +26,6 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
 import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
 import java.util.Map;
@@ -89,12 +87,6 @@
     // ----------------------------------------------------- Manifest constants
 
     /**
-     * The UID to use when serializing this instance.
-     */
-    private static final long serialVersionUID = 2237570099615271025L;
-
-
-    /**
      * Default content charset to be used when no explicit charset
      * parameter is provided by the sender. Media subtypes of the
      * "text" type are defined to have a default charset value of
@@ -180,11 +172,6 @@
     private transient File tempFile;
 
     /**
-     * File to allow for serialization of the content of this item.
-     */
-    private File dfosFile;
-
-    /**
      * The file items headers.
      */
     private FileItemHeaders headers;
@@ -658,9 +645,6 @@
         return id;
     }
 
-
-
-
     /**
      * Returns a string representation of this object.
      *
@@ -679,58 +663,7 @@
             + this.getFieldName();
     }
 
-
-    // -------------------------------------------------- Serialization methods
-
-
     /**
-     * Writes the state of this object during serialization.
-     *
-     * @param out The stream to which the state should be written.
-     *
-     * @throws IOException if an error occurs.
-     */
-    private void writeObject(ObjectOutputStream out) throws IOException {
-        // Read the data
-        if (dfos.isInMemory()) {
-            cachedContent = get();
-        } else {
-            cachedContent = null;
-            dfosFile = dfos.getFile();
-        }
-
-        // write out values
-        out.defaultWriteObject();
-    }
-
-    /**
-     * Reads the state of this object during deserialization.
-     *
-     * @param in The stream from which the state should be read.
-     *
-     * @throws IOException if an error occurs.
-     * @throws ClassNotFoundException if class cannot be found.
-     */
-    private void readObject(ObjectInputStream in)
-            throws IOException, ClassNotFoundException {
-        // read values
-        in.defaultReadObject();
-
-        OutputStream output = getOutputStream();
-        if (cachedContent != null) {
-            output.write(cachedContent);
-        } else {
-            FileInputStream input = new FileInputStream(dfosFile);
-            IOUtils.copy(input, output);
-            dfosFile.delete();
-            dfosFile = null;
-        }
-        output.close();
-
-        cachedContent = null;
-    }
-
-    /**
      * Returns the file item headers.
      * @return The file items headers.
      */

