File jakarta-commons-fileupload-CVE-2016-1000031.patch of Package jakarta-commons-fileupload.28093
Index: commons-fileupload-1.1.1/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
===================================================================
--- commons-fileupload-1.1.1.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+++ commons-fileupload-1.1.1/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
@@ -147,11 +147,6 @@ public class DiskFileItem
*/
private transient DeferredFileOutputStream dfos;
- /**
- * File to allow for serialization of the content of this item.
- */
- private File dfosFile;
-
// ----------------------------------------------------------- Constructors
@@ -637,76 +632,4 @@ public class DiskFileItem
+ this.getFieldName();
}
-
- // -------------------------------------------------- Serialization methods
-
-
- /**
- * Writes the state of this object during serialization.
- *
- * @param out The stream to which the state should be written.
- *
- * @throws IOException if an error occurs.
- */
- private void writeObject(ObjectOutputStream out) throws IOException {
- // Read the data
- if (dfos.isInMemory()) {
- cachedContent = get();
- } else {
- cachedContent = null;
- dfosFile = dfos.getFile();
- }
-
- // write out values
- out.defaultWriteObject();
- }
-
- /**
- * Reads the state of this object during deserialization.
- *
- * @param in The stream from which the state should be read.
- *
- * @throws IOException if an error occurs.
- * @throws ClassNotFoundException if class cannot be found.
- */
- private void readObject(ObjectInputStream in)
- throws IOException, ClassNotFoundException {
- // read values
- in.defaultReadObject();
-
- /* One expected use of serialization is to migrate HTTP sessions
- * containing a DiskFileItem between JVMs. Particularly if the JVMs are
- * on different machines It is possible that the repository location is
- * not valid so validate it.
- */
- if (repository != null) {
- if (repository.isDirectory()) {
- // Check path for nulls
- if (repository.getPath().contains("\0")) {
- throw new IOException(java.lang.String.format(
- "The repository [%s] contains a null character",
- repository.getPath()));
- }
- } else {
- throw new IOException(java.lang.String.format(
- "The repository [%s] is not a directory",
- repository.getAbsolutePath()));
- }
- }
-
- OutputStream output = getOutputStream();
- if (cachedContent != null) {
- output.write(cachedContent);
- } else {
- FileInputStream input = new FileInputStream(dfosFile);
-
- IOUtils.copy(input, output);
- dfosFile.delete();
- dfosFile = null;
- }
- output.close();
-
- cachedContent = null;
- }
-
}
Index: commons-fileupload-1.1.1/src/test/org/apache/commons/fileupload/DiskFileItemSerializeTest.java
===================================================================
--- commons-fileupload-1.1.1.orig/src/test/org/apache/commons/fileupload/DiskFileItemSerializeTest.java
+++ commons-fileupload-1.1.1/src/test/org/apache/commons/fileupload/DiskFileItemSerializeTest.java
@@ -77,25 +77,7 @@ public class DiskFileItemSerializeTest e
assertEquals("Initial: size", item.getSize(), testFieldValueBytes.length);
compareBytes("Initial", item.get(), testFieldValueBytes);
- // Serialize & Deserialize
- try
- {
- FileItem newItem = (FileItem)serializeDeserialize(item);
-
- // Test deserialized content is as expected
- assertTrue("Check in memory", newItem.isInMemory());
- compareBytes("Check", testFieldValueBytes, newItem.get());
-
- // Compare FileItem's (except byte[])
- compareFileItems(item, newItem);
-
- }
- catch(Exception e)
- {
- fail("Error Serializing/Deserializing: " + e);
- }
-
-
+ item.delete();
}
/**
@@ -112,24 +94,7 @@ public class DiskFileItemSerializeTest e
assertEquals("Initial: size", item.getSize(), testFieldValueBytes.length);
compareBytes("Initial", item.get(), testFieldValueBytes);
-
- // Serialize & Deserialize
- try
- {
- FileItem newItem = (FileItem)serializeDeserialize(item);
-
- // Test deserialized content is as expected
- assertTrue("Check in memory", newItem.isInMemory());
- compareBytes("Check", testFieldValueBytes, newItem.get());
-
- // Compare FileItem's (except byte[])
- compareFileItems(item, newItem);
-
- }
- catch(Exception e)
- {
- fail("Error Serializing/Deserializing: " + e);
- }
+ item.delete();
}
/**
@@ -147,34 +112,7 @@ public class DiskFileItemSerializeTest e
assertEquals("Initial: size", item.getSize(), testFieldValueBytes.length);
compareBytes("Initial", item.get(), testFieldValueBytes);
- // Serialize & Deserialize
- try
- {
- FileItem newItem = (FileItem)serializeDeserialize(item);
-
- // Test deserialized content is as expected
- assertFalse("Check in memory", newItem.isInMemory());
- compareBytes("Check", testFieldValueBytes, newItem.get());
-
- // Compare FileItem's (except byte[])
- compareFileItems(item, newItem);
-
- }
- catch(Exception e)
- {
- fail("Error Serializing/Deserializing: " + e);
- }
- }
-
- /**
- * Compare FileItem's (except the byte[] content)
- */
- private void compareFileItems(FileItem origItem, FileItem newItem) {
- assertTrue("Compare: is in Memory", origItem.isInMemory() == newItem.isInMemory());
- assertTrue("Compare: is Form Field", origItem.isFormField() == newItem.isFormField());
- assertEquals("Compare: Field Name", origItem.getFieldName(), newItem.getFieldName());
- assertEquals("Compare: Content Type", origItem.getContentType(), newItem.getContentType());
- assertEquals("Compare: File Name", origItem.getName(), newItem.getName());
+ item.delete();
}
/**
@@ -237,35 +175,4 @@ public class DiskFileItemSerializeTest e
}
- /**
- * Do serialization and deserialization.
- */
- private Object serializeDeserialize(Object target) {
-
- // Serialize the test object
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- try {
- ObjectOutputStream oos = new ObjectOutputStream(baos);
- oos.writeObject(target);
- oos.flush();
- oos.close();
- } catch (Exception e) {
- fail("Exception during serialization: " + e);
- }
-
- // Deserialize the test object
- Object result = null;
- try {
- ByteArrayInputStream bais =
- new ByteArrayInputStream(baos.toByteArray());
- ObjectInputStream ois = new ObjectInputStream(bais);
- result = ois.readObject();
- bais.close();
- } catch (Exception e) {
- fail("Exception during deserialization: " + e);
- }
- return result;
-
- }
-
}
Index: commons-fileupload-1.1.1/src/java/org/apache/commons/fileupload/FileItem.java
===================================================================
--- commons-fileupload-1.1.1.orig/src/java/org/apache/commons/fileupload/FileItem.java
+++ commons-fileupload-1.1.1/src/java/org/apache/commons/fileupload/FileItem.java
@@ -19,7 +19,6 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.io.Serializable;
import java.io.UnsupportedEncodingException;
/**
@@ -49,8 +48,7 @@ import java.io.UnsupportedEncodingExcept
*
* @version $Id: FileItem.java 349366 2005-11-28 04:44:57Z martinc $
*/
-public interface FileItem
- extends Serializable {
+public interface FileItem {
// ------------------------------- Methods from javax.activation.DataSource
