in am using ace:fileEntry component to upload a pdf file. my problem i dont know how to change the filename while uploading the document. The file gets uploaded with the originalfilename.I know that if i set useOriginalFilename=false, it would have a unique name, but I want that the file uploaded in the file system should have the custom filename which i want to pass.
My xhtml code is as below
<ace:fileEntry id="file-entry" label="Attachment"
absolutePath="STR_UPLOADED_FILES"
maxFileCount="1"
maxFileCountMessage="Limited to 1 files uploaded concurrently."
fileEntryListener="#{strformbean.fileuploadListener}"
maxFileSize="6291456"
maxFileSizeMessage="Submitted file is too large.Max size allowed is 6MB"
maxTotalSize="6291456"
maxTotalSizeMessage="Total size of submitted files is too large."
required="false"
requiredMessage="The file is required to submit this form."
useOriginalFilename="true"
useSessionSubdir="false" />
You sound like as if you expected that the temporary storage location of uploaded files is usable as a permanent storage location of uploaded files and you thus don't need to touch it. This is wrong! The location where uploaded files will initially end up is really temporary in order to save server memory usage. It will be cleaned at intervals or startup/shutdown.
In the listener method, you should be obtaining the content of the uploaded file yourself as InputStream or byte[] which you should write to the permanent storage location. During this step you have all the freedom to specify your own filename.
See also this closely related question about PrimeFaces <p:fileUpload> (whose sourcecode ICEfaces has for the major part stolen copypasted redistributed) Where is the p:fileUpload uploaded file saved and how do I change it? for a detailed answer how to deal with it properly.
Related
So i have this ASP.Net app and i want to allow the client to have the option to download an xlsx file, im using the HttpContext.Response to set the Content Type "application/xlsx" and the Content-Disposition sets the file name with the extension .xlsx, the download works correctly.
if I change the file name to .pdf then the file is downloaded as a pdf, when I checked the developer tool network response the Content Type was "application/xlsx" and in another test I change the name fileto .png and the file was downloaded as an image (it did not work, but it was shown as an image)
So what is the content type supposed to do, does it bring some sort of security how do i make sure that the user can only downloads the file associated to the content type?
Im using response.BinaryWrite()
A content type indicates what type of content is being transmitted over http regardless of the content name. For example as you already have tested, you can transmit a pdf file naming it as a .png file.
It is the browser or the operating system that is representing a file with the name .png as an image to you. Another software would treat a pdf file with .png name as a pdf file.
The name of the file matters after the download is complete. But the software that is handling the download (in this case a web browser) actually may need to know the original media type. And you might want to write client side codes that would need to know what type of file is being transferred from the server regardless of the file name.
I am hosting a small fileserver, where users can upload documents from all around the world.
Due to problems in encoding (see otherquestion), I am asking myself if I should disallow users to upload (and on the other hand download) files not supported by CP1252 charset?
or otherwise; is it senseful to allow users upload documents with arabian or chinese letters in their filenames?
PS: they download the same file some time later (and it should have the same filename as uploaded)
You should be storing the files on disk using a randomly generated name, or let the file name be based on a hash of the file contents (good for deduplicating storage as well). You can save the original file name as meta data in a database together with all other meta data about the file (who uploaded it and things like that). Then you serve the file again using a PHP script which sets the original file name from the database in an HTTP header. This way you:
don't need to worry about file name sanitisation or duplication
file system encoding issues
storage duplication (if using a hash)
I'd like to allow user to select a directory (in which I parse some text files) and store the result(List<File>) in a PERSISTENT storage on the same client so that when the user returns, there is no need to select the same directory again.
During the session selecting the directory (via <input webkitdirectory="..." />) and then accessing the directory and parsing the file already works fine, but I've no idea on what kind of data I shall save in order to retrieve it later. I've tried by using window.webkitResolveLocalFileSystemURL() but wasn't successful so far... any idea?
Ok, so you're using something like:
<input type="file" id="file-input" webkitdirectory="" directory="">
This lets the user upload a directory. Roughly speaking, here's the code to get the list of files uploaded:
query("#file-input").on.change.add((e) {
print(e.target.files);
});
It sounds like you already figured that part out.
Really, you just get a list of files. I looked at e.target, and I don't think there's anything in there related to the directory itself. For instance, I don't see anything about the directory name, and it's not as if you suddenly have write access to that directory. You also can't upload files from that directory the next time the user loads the page without him selecting the directory again.
However, what you can do is upload files from that directory and save a copy of those files locally using local file storage.
See also:
"Using the HTML5 Filesystem API" p. 20-21
https://github.com/dart-lang/dart-html5-samples/tree/master/web/file
How do I use Google Chrome 11's Upload Folder feature in my own code?
By the way, I know I wasn't able to achieve exactly what you wanted, but if you approve of my answer, please accept it. My boss promised to buy me a puppy if I answer 100 questions on Stack Overflow ;)
I have a website that shows galleries. Users can upload their own content from the web (by entering a URL) or by uploading a picture from their computer.
I am storing the URL in the database which works fine for the first use case but I need to figure out where to store the actual images if a user does a upload from their computer.
Is there any recommendation here or best practice on where I should store these?
Should I save them in the appdata or content folders? Should they not be stored with the website at all because it's user content?
You should NOT store the user uploads anywhere they can be directly accessed by a known URL within your site structure. This is a security risk as users could upload .htm file and .js files. Even a file with the correct extension can contain malicious code that can be executed in the context of your site by an authenticated user allowing server-side or client-side attacks.
See for example http://www.acunetix.com/websitesecurity/upload-forms-threat.htm and What security issues appear when users can upload their own files? which mention some of the issues you need to be aware of before you allow users to upload files and then present them for download within your site.
Don't put the files within your normal web site directory structure
Don't use the original file name the user gave you. You can add a content disposition header with the original file name so they can download it again as the same file name but the path and file name on the server shouldn't be something the user can influence.
Don't trust image files - resize them and offer only the resized version for subsequent download
Don't trust mime types or file extensions, open the file and manipulate it to make sure it's what it claims to be.
Limit the upload size and time.
Depending on the resources you have to implement something like this, it is extremely beneficial to store all this stuff in Amazon S3.
Once you get the upload you simply push it over to Amazon and pop the URL in your database as you're doing with the other images. As mentioned above it would probably be wise to open up the image and resize it before sending it over. This both checks it is actually an image and makes sure you don't accidentally present a full camera resolution image to an end user.
Doing this now will make it much, much easier if you ever have to migrate/failover your site and don't want to sync gigabytes of image assets.
One way is to store the image in a database table with a varbinary field.
Another way would be to store the image in the App_Data folder, and create a subfolder for each user (~/App_Data/[userid]/myImage.png).
For both approaches you'd need to create a separate action method that makes it possible to access the images.
While uploading images you need to verify the content of the file before uploading it. The file extension method is not trustable.
Use magic number method to verify the file content which will be an easy way.
See the stackoverflow post and see the list of magic numbers
One way of saving the file is converting it to binary format and save in our database and next method is using App_Data folder.
The storage option is based on your requirement. See this post also
Set upload limit by setting maxRequestLength property to Web.Config like this, where the size of file is specified in KB
<httpRuntime maxRequestLength="51200" executionTimeout="3600" />
You can save your trusted data just in parallel of htdocs/www folder so that any user can not access that folder. Also you can add .htaccess authentication on your trusted data (for .htaccess you should kept your .htpasswd file in parallel of htdocs/www folder) if you are using apache.
I have a upload text file field, and with it I plan to save the file somewhere and then store the location of the file in a database. However, I want to make sure the file they uploaded is a .txt file, and not, say, an image file. I imagine this happens in the validation step. How does one validate such a thing? Also, how do you get the filename of the uploaded file? I could always just check if it said '.txt' but for future reference knowing how to validate without just the filename would be helpful.
Trying to validate the contents of a file based on the filename extension is opening the door for major hackerdom. It's trivial to change the extension and upload the file.
If you are on a Mac/Linux/Unix-based system the OS "file" command is the standard because it looks inside the file for key bytes that flag file types. http://en.wikipedia.org/wiki/File_(Unix) I'm not sure what's available for Windows, but this might help: Determine file type in Ruby
One way of doing it, the simple way really, would be to pass the file through an image loader, preferably one that handles multiple common formats, and see if it throws an error.
The other way is to manually check the file header for common image format headers. For example, .bmp files start with BM. Other formats have their own specific markings you can use.