Index: /FCKeditor.Java/branches/2.4/src/main/java/net/fckeditor/connector/ConnectorServlet.java =================================================================== --- /FCKeditor.Java/branches/2.4/src/main/java/net/fckeditor/connector/ConnectorServlet.java (revision 1633) +++ /FCKeditor.Java/branches/2.4/src/main/java/net/fckeditor/connector/ConnectorServlet.java (revision 1634) @@ -20,9 +20,4 @@ */ package net.fckeditor.connector; - -import static net.fckeditor.tool.Utils.forceSingleExtension; -import static net.fckeditor.tool.Utils.isEmpty; -import static net.fckeditor.tool.Utils.isValidPath; -import static net.fckeditor.tool.Utils.replaceAll; import java.io.File; @@ -143,13 +138,8 @@ } else { try { - boolean dirCreated = newFolder.mkdir(); - if (dirCreated) - errorNumber = 0; - else - errorNumber = 102; + errorNumber = (newFolder.mkdir()) ? 0 : 102; } catch (SecurityException sex) { errorNumber = 103; } - } xr.setError(errorNumber); @@ -196,8 +186,9 @@ // if this is a QuickUpload-Request, 'commandStr' and 'currentFolderStr' are empty and have // to preset and construct the full resource type path !! - if (isEmpty(commandStr) && isEmpty(currentFolderStr)) { + if (Utils.isEmpty(commandStr) && Utils.isEmpty(currentFolderStr)) { commandStr = "QuickUpload"; currentFolderStr = "/"; - String quickUploadFolder = constructTypeBasedFolderString(fileType, currentFolderStr, request); + String quickUploadFolder = constructTypeBasedFolderString(fileType, currentFolderStr, + request); File file = new File(getServletContext().getRealPath(quickUploadFolder)); if (!file.exists()) @@ -209,9 +200,10 @@ if (!Utils.isValidPath(currentFolderStr)) { ur = new UploadResponse(UploadResponse.EN_SECURITY_ERROR, null, null, - "'currentFolderStr' isn't valid!"); + "'currentFolderStr' isn't valid!"); } else if (!SessionDataHandler.isEnabledForFileUpload(request)) { ur = new UploadResponse(UploadResponse.EN_SECURITY_ERROR, null, null, "The current user isn't authorized for uploading files!"); - } else if (isEmpty(commandStr) || isEmpty(currentFolderStr) || isEmpty(typeStr)) + } else if (Utils.isEmpty(commandStr) || Utils.isEmpty(currentFolderStr) + || Utils.isEmpty(typeStr)) ur = UploadResponse.UR_BAD_REQUEST; else if (!commandStr.matches("(File|Quick)Upload")) @@ -220,7 +212,7 @@ String currentPath = constructTypeBasedFolderString(fileType, currentFolderStr, request); - String currentDirPath = getServletContext().getRealPath(currentPath); - - if (!isValidPath(currentFolderStr) || !(new File(currentDirPath).exists())) + File currentDirPath = new File(getServletContext().getRealPath(currentPath)); + + if (!Utils.isValidPath(currentFolderStr) || !currentDirPath.exists()) ur = UploadResponse.UR_BAD_REQUEST; else { @@ -245,26 +237,39 @@ if (ConnectorHandler.isForceSingleExtension()) { - filename = forceSingleExtension(filename); + filename = Utils.forceSingleExtension(filename); baseName = FilenameUtils.removeExtension(filename); } + // construct an unique file File pathToSave = new File(currentDirPath, filename); int counter = 1; while (pathToSave.exists()) { - newFilename = baseName + "(" + counter + ")" + "." + extension; + newFilename = baseName.concat("(").concat(String.valueOf(counter)) + .concat(")").concat(".").concat(extension); pathToSave = new File(currentDirPath, newFilename); counter++; } - uplFile.write(pathToSave); - if (isEmpty(newFilename)) { + if (Utils.isEmpty(newFilename)) { ur = new UploadResponse(UploadResponse.EN_OK, Utils - .constructServerAddress(request, currentPath) - + filename); + .constructServerAddress(request, currentPath).concat(filename)); } else { ur = new UploadResponse(UploadResponse.EN_RENAMED, Utils - .constructServerAddress(request, currentPath) - + newFilename, newFilename); - } + .constructServerAddress(request, currentPath).concat( + newFilename), newFilename); + } + + // secure image check + if (ConnectorHandler.isSecureImageUploads()) { + boolean check = Utils.isImage(uplFile.getInputStream()); + if (check) { + uplFile.write(pathToSave); + } else { + ur = UploadResponse.UR_INVALID_EXTENSION; + } + } else { + uplFile.write(pathToSave); + } + } } catch (FileUploadException ex) { @@ -288,5 +293,5 @@ sb.append(fileType.getPath()); sb.append(currentFolderString); - return replaceAll(sb.toString(), "//", "/"); + return Utils.replaceAll(sb.toString(), "//", "/"); }