[ https://issues.apache.org/struts/browse/WW-2557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=43575#action_43575 ] Stephan Schroeder commented on WW-2557: --------------------------------------- here is a unit test: (attention: -it uses a private method of FileUploadInterceptorTest, therefore it should be included there -import org.springframework.mock.web.MockMultipartFile; -import org.springframework.mock.web.MockMultipartHttpServletRequest; ) /** * tests whether with multiple files sent with the same name, the ones with forbiddenTypes * (see FileUploadInterceptor.setAllowedTypes(...) ) are sorted out. * @throws Exception */ public void testMultipleAccept() throws Exception { MockMultipartHttpServletRequest req = new MockMultipartHttpServletRequest(); String htmlContent = "html content"; String plainContent = "plain content"; req.addFile( new MockMultipartFile("file","test1.html","text/html", htmlContent.getBytes( "US-ASCII" ) ); req.addFile( new MockMultipartFile("file","test2.html","text/html", htmlContent.getBytes( "US-ASCII" ) ); req.addFile( new MockMultipartFile("file","test.txt", "text/plain",plainContent.getBytes( "US-ASCII" ) ); MyFileupAction action = new MyFileupAction(); MockActionInvocation mai = new MockActionInvocation(); mai.setAction(action); mai.setResultCode("success"); mai.setInvocationContext(ActionContext.getContext()); Map param = new HashMap(); ActionContext.getContext().setParameters(param); ActionContext.getContext().put(ServletActionContext.HTTP_REQUEST, createMultipartRequest( req, 2000)); interceptor.setAllowedTypes( "text/html" ); interceptor.intercept(mai); assertTrue(! action.hasErrors()); assertTrue(param.size() == 3); File[] files = (File[]) param.get("file"); String[] fileContentTypes = (String[]) param.get("fileContentType"); String[] fileRealFilenames = (String[]) param.get("fileFileName"); assertNotNull(files); assertNotNull(fileContentTypes); assertNotNull(fileRealFilenames); assertTrue(files.length == 2); assertTrue(fileContentTypes.length == 2); assertTrue(fileRealFilenames.length == 2); assertEquals("text/html", fileContentTypes[0]); assertNotNull("test1.html", fileRealFilenames[0]); } I have to admit that i wasn't able to test this test because my spring.jar is lacking the org.springframework.web.multipart package on which MockMultipartHttpServletRequest and MockMultipartFile depend. I asked the spring people about this error (http://forum.springframework.org/showthread.php?t=52071) but they haven't answerd yet but i figured you might have an own spring build (the package is present in the spring source) and therefore the test should work for you. > FileUploadInterceptor allows forbidden files when passed with allowed files > --------------------------------------------------------------------------- > > Key: WW-2557 > URL: https://issues.apache.org/struts/browse/WW-2557 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors > Affects Versions: 2.0.11 > Environment: Windows Vista, Java 1.6.0_05 > Reporter: Stephan Schroeder > > Summary: If you set the "allowedTypes" parameter of FileUploadInterceptor for example to "image/jpeg" and upload a jpg file and a gif file whit the same form name > (e.g.: > <@s.form action="photoupload" method="post" enctype="multipart/form-data"> > <@s.file name="photos" label="Pictured 1"/> > <@s.file name="photos" label="Pictured 2"/> > <@s.submit/> > ) > than the gif file will be accepted too. > this is some code from the uptodate SVN repository of FileUploadInterceptor > (http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/FileUploadInterceptor.java?revision=615436&view=markup) > > 1 File[] files = multiWrapper.getFiles(inputName); > 2 if (files != null) { > 3 for (int index = 0; index < files.length; index++) { > 4 if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){ > 5 parameters.put(inputName, files); > 6 parameters.put(inputName + "ContentType", contentType); > 7 parameters.put(inputName + "FileName", fileName); > 8 } > 9 } > 10} > > Bug 1) as you can see in line 4 and 5 as soon as one file is accepted the whole array is added to parameters which of course means even the files which haven't been accepted themselfs. > Improvement 1) in line 6 and 7 static string concatenations are done within a loop. This should move out of the loop. > Here is my proposal for a fix for both issues: > > File[] files = multiWrapper.getFiles(inputName); > if (files != null) { > ArrayList acceptedFiles = new ArrayList( files.length() ); > ArrayList acceptedContentTypes = new ArrayList( files.length() ); > ArrayList acceptedFileNames = new ArrayList( files.length() ); > String contentTypeName = inputName + "ContentType"; > String fileNameName = inputName + "FileName"; > for (int index = 0; index < files.length; index++) { > if (acceptFile(files[index], contentType[index], inputName, validation, ac.getLocale())){ > acceptedFiles.add( files[index] ); > acceptedContentTypes.add( contentType[index] ); > acceptedFileNames.add( fileName[index] ); > } > } > if( acceptedFiles.size()!=0 ) { > parameters.put(inputName, acceptedFiles.toArray()); > parameters.put(contentTypeName, acceptedContentTypes.toArray()); > parameters.put(fileNameName, acceptedFileNames.toArray()); > } > } > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.