Merge pull request #1283 from apache/dependabot/maven/org.apache.commons-commons-fileupload2-jakarta-servlet6-2.0.0-M4

Bump org.apache.commons:commons-fileupload2-jakarta-servlet6 from 2.0.0-M2 to 2.0.0-M4

Author: lukaszlenart

core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java

@@ -18,6 +18,8 @@
  */
 package org.apache.struts2.dispatcher.multipart;
 
+import org.apache.commons.fileupload2.core.DiskFileItemFactory;
+import org.apache.commons.fileupload2.core.RequestContext;
 import org.apache.struts2.inject.Inject;
 import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.fileupload2.core.FileUploadByteCountLimitException;
@@ -33,6 +35,7 @@
 import org.apache.struts2.StrutsConstants;
 import org.apache.struts2.dispatcher.LocalizedMessage;
 
+import java.io.File;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.nio.file.Path;
@@ -42,6 +45,9 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;
+
+import static org.apache.commons.lang3.StringUtils.normalizeSpace;
 
 /**
  * Abstract class with some helper methods, it should be used
@@ -187,7 +193,21 @@ protected Charset readCharsetEncoding(HttpServletRequest request) {
      * @param charset used charset from incoming request
      * @param saveDir a temporary folder to store uploaded files (not always needed)
      */
-    protected abstract JakartaServletDiskFileUpload createJakartaFileUpload(Charset charset, Path saveDir);
+    protected JakartaServletDiskFileUpload createJakartaFileUpload(Charset charset, Path saveDir) {
+        DiskFileItemFactory.Builder builder = DiskFileItemFactory.builder();
+
+        LOG.debug("Using file save directory: {}", saveDir);
+        builder.setPath(saveDir);
+
+        LOG.debug("Sets buffer size: {}", bufferSize);
+        builder.setBufferSize(bufferSize);
+
+        LOG.debug("Using charset: {}", charset);
+        builder.setCharset(charset);
+
+        DiskFileItemFactory factory = builder.get();
+        return new JakartaServletDiskFileUpload(factory);
+    }
 
     protected JakartaServletDiskFileUpload prepareServletFileUpload(Charset charset, Path saveDir) {
         JakartaServletDiskFileUpload servletFileUpload = createJakartaFileUpload(charset, saveDir);
@@ -207,11 +227,15 @@ protected JakartaServletDiskFileUpload prepareServletFileUpload(Charset charset,
         return servletFileUpload;
     }
 
+    protected RequestContext createRequestContext(HttpServletRequest request) {
+        return new StrutsRequestContext(request);
+    }
+
     protected boolean exceedsMaxStringLength(String fieldName, String fieldValue) {
         if (maxStringLength != null && fieldValue.length() > maxStringLength) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("Form field: {} of size: {} bytes exceeds limit of: {}.",
-                        sanitizeNewlines(fieldName), fieldValue.length(), maxStringLength);
+                        normalizeSpace(fieldName), fieldValue.length(), maxStringLength);
             }
             LocalizedMessage localizedMessage = new LocalizedMessage(this.getClass(),
                     STRUTS_MESSAGES_UPLOAD_ERROR_PARAMETER_TOO_LONG_KEY, null,
@@ -234,7 +258,7 @@ public void parse(HttpServletRequest request, String saveDir) throws IOException
         try {
             processUpload(request, saveDir);
         } catch (FileUploadException e) {
-            LOG.debug("Error parsing the multi-part request!", e);
+            LOG.warn("Error parsing the multi-part request!", e);
             Class<? extends Throwable> exClass = FileUploadException.class;
             Object[] args = new Object[]{};
 
@@ -257,7 +281,7 @@ public void parse(HttpServletRequest request, String saveDir) throws IOException
                 errors.add(errorMessage);
             }
         } catch (IOException e) {
-            LOG.debug("Unable to parse request", e);
+            LOG.warn("Unable to parse request", e);
             LocalizedMessage errorMessage = buildErrorMessage(e.getClass(), e.getMessage(), new Object[]{});
             if (!errors.contains(errorMessage)) {
                 errors.add(errorMessage);
@@ -384,6 +408,22 @@ public String[] getParameterValues(String name) {
         return values.toArray(new String[0]);
     }
 
+    /**
+     * Creates a secure temporary file in the specified directory using UUID-based naming.
+     * This method ensures files are created in a controlled location rather than the
+     * system temporary directory, reducing security risks.
+     *
+     * @param fileName the original filename for logging purposes
+     * @param location the directory where the temporary file should be created
+     * @return a new temporary file in the specified location
+     */
+    protected File createTemporaryFile(String fileName, Path location) {
+        String uid = UUID.randomUUID().toString().replace("-", "_");
+        File file = location.resolve("upload_" + uid + ".tmp").toFile();
+        LOG.debug("Creating temporary file: {} (originally: {})", file.getName(), fileName);
+        return file;
+    }
+
     /* (non-Javadoc)
      * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#cleanUp()
      */