Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
5 replies Latest Post - ‏2013-10-10T13:19:35Z by redBaron
redBaron
redBaron
9 Posts
ACCEPTED ANSWER

Pinned topic How to retrieve value of bowstreet.upload.destinationPath in Java method

‏2013-10-08T15:40:50Z |

Using WEF 8.

Can the bowstreet.upload.destinationPath value be retrieved from a Java method in a model?  Please provide an example.

Thanks!

Updated on 2013-10-08T15:41:15Z at 2013-10-08T15:41:15Z by redBaron
  • mburati
    mburati
    2552 Posts
    ACCEPTED ANSWER

    Re: How to retrieve value of bowstreet.upload.destinationPath in Java method

    ‏2013-10-08T15:49:30Z  in response to redBaron

    Please think of the default file upload path as a "temporary" location where your model should look first to ensure the file is something the application expects (file extension, size, contents etc) before accepting it and moving it to a more permanent location (DB,  servable content if safe,  shared file system, etc). 

    The app is free to move the file wherever it wants, after it has verified it is safe to keep it and move it out of the temporary upload location.  You should move it from the temporary upload location anyway, since that's typically a temporary folder in the deployed WAR that will disappear on app WAR republish.

    If you're already on WEF8, I suggest moving to fixpack WEF 8.0.0.3 which has some additional security checks to ensure that admins don't accidentally move the temporary file upload path to servable content (outside of WEB-INF) where malicious files could conceivably be accessed by other users before the app has a chance to verify it's an appropriate file for that application.   An admin should never do that (set file upload initial location to servable content)  anyway )whether using WEF or any other tool), but as of 8.0.0.3, there are checks in place to help ensure that isn't done accidentally, without understanding the risk.

    I hope that info helps,
    ..Mike Burati 
    The postings on this site are my own and do not necessarily represent the positions, strategies, or opinions of IBM.

     

  • DGawron
    DGawron
    580 Posts
    ACCEPTED ANSWER

    Re: How to retrieve value of bowstreet.upload.destinationPath in Java method

    ‏2013-10-08T16:18:23Z  in response to redBaron

    Just adding to what Mike has posted.  That property can be retrieved using the com.bowstreet.util.SystemProperties class.  If the value of the property contains the ${bowstreet.rootDirectory} indirect ref then that ref will be replaced with the actual path in the deployed WAR.

    If you are looking for the path to an uploaded file, then the full path is available in the request inputs under the name of the page element that was used by the File Upload builder.  For example, if you place a File Upload builder on a SPAN named "uploadFile", then the request inputs (${Inputs/uploadFile} indirect ref) will contain the file's path.

    As Mike noted, never allow uploads to any folder in the WAR file from which static files can be served (below WebContent and outside of WEB-INF).  And never into any folder that contains regular app files.  Only allow uploads into a folder that is specifically dedicated to uploading files.

    Also, it's a security best practice to ruthlessly validate a file's extension *and* content before moving it to it's final location.  For example, if your model expects images to be uploaded and you find that the file has an extension of something other than .png, .gif, or .jpg then it should be immediately deleted and a log message written noting that an unidentified file was uploaded.  Furthermore, say the file extension claims it's a PNG, then you must, at the very least, read the first 8 bytes and verify that they match the expected 8-byte header of a PNG file.  Again, if that test fails you should immediately delete the file and log the event.

  • redBaron
    redBaron
    9 Posts
    ACCEPTED ANSWER

    Re: How to retrieve value of bowstreet.upload.destinationPath in Java method

    ‏2013-10-08T17:54:46Z  in response to redBaron

    Good information.  Can you provide an example or direct me to documentation that explains the use of com.bowstreet.util.SystemProperties in a method builder?  I was checking for the correct extension but have not dealt with the 8-byte header.  Could you explain further?

    • mburati
      mburati
      2552 Posts
      ACCEPTED ANSWER

      Re: How to retrieve value of bowstreet.upload.destinationPath in Java method

      ‏2013-10-08T18:15:23Z  in response to redBaron

      There's doc on SystemProperties here:

      http://www-10.lotus.com/ldd/pfwiki.nsf/dx/Getting_system_properties_wef8?OpenDocument&sa=true

      and here:

      http://infolib.lotus.com/resources/portletfactory/8.0.0/WEF80ABD003/en_us/api/overview-summary.html

      As for verifying a file is a PNG or JPG, most suggestions I've seen including reading the header bytes to look for the known PNG and JPG magic numbers that indicate the file type.  Doing that alone won't guarantee the file is a valid PNG or JPG, but may at least be able to rule out one that definitely is not if it doesn't have the correct header bytes.  Try a web search for "check if a file is png or jpg in Java"  to see similar suggestions.

      I hope that info helps,
      ..Mike Burati 
      The postings on this site are my own and do not necessarily represent the positions, strategies, or opinions of IBM.
      • redBaron
        redBaron
        9 Posts
        ACCEPTED ANSWER

        Re: How to retrieve value of bowstreet.upload.destinationPath in Java method

        ‏2013-10-10T13:19:35Z  in response to mburati

        Thanks for the pointing me in the right direction, however the documentation was vague as to what properties are available using getProperty.  The answer was: webAppAccess.getSystemProperties().getProperty("bowstreet.upload.destinationPath");