- * TODO Consider making this method throw UnsupportedEncodingException. + * TODO Consider making this method throw UnsupportedEncodingException. *
* * @return The contents of the file, as a string. @@ -463,7 +463,7 @@ public String getString(final Charset charset) throws IOException { * Creates and returns a {@link java.io.File File} representing a uniquely named temporary file in the configured repository path. The lifetime of the file * is tied to the lifetime of the {@code FileItem} instance; the file will be deleted when the instance is garbage collected. *- * Note: Subclasses that override this method must ensure that they return the same File each time. + * Note: Subclasses that override this method must ensure that they return the same File each time. *
* * @return The {@link java.io.File File} to be used for temporary storage. diff --git a/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/DiskFileItemFactory.java b/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/DiskFileItemFactory.java index 2bc6392c01..baff71d52f 100644 --- a/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/DiskFileItemFactory.java +++ b/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/DiskFileItemFactory.java @@ -38,11 +38,11 @@ *- * NOTE: Files are created in the system default temporary directory with predictable names. This means that a local attacker with write access to that - * directory can perform a TOUTOC attack to replace any uploaded file with a file of the attackers choice. The implications of this will depend on how the - * uploaded file is used but could be significant. When using this implementation in an environment with local, untrusted users, {@link Builder#setPath(Path)} - * MUST be used to configure a repository location that is not publicly writable. In a Servlet container the location identified by the ServletContext attribute - * {@code javax.servlet.context.tempdir} may be used. + * NOTE: Files are created in the system default temporary directory with predictable names. This means that a local attacker with write access + * to that directory can perform a TOUTOC attack to replace any uploaded file with a file of the attackers choice. The implications of this will depend on how + * the uploaded file is used but could be significant. When using this implementation in an environment with local, untrusted users, + * {@link Builder#setPath(Path)} MUST be used to configure a repository location that is not publicly writable. In a Servlet container the location identified + * by the ServletContext attribute {@code javax.servlet.context.tempdir} may be used. *
*
* Temporary files, which are created for file items, should be deleted later on. The best way to do this is using a {@link FileCleaningTracker}, which you can
diff --git a/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/RFC2231Utils.java b/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/RFC2231Utils.java
index 3924f1409e..d9b741acc6 100644
--- a/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/RFC2231Utils.java
+++ b/commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/RFC2231Utils.java
@@ -60,11 +60,11 @@ final class RFC2231Utils {
/**
* Decodes a string of text obtained from a HTTP header as per RFC 2231
*
- * Eg 1. {@code us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A} will be decoded to {@code This is ***fun***}
+ * Eg 1. {@code us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A} will be decoded to {@code This is ***fun***}
*
- * Eg 2. {@code iso-8859-1'en'%A3%20rate} will be decoded to {@code £ rate}.
+ * Eg 2. {@code iso-8859-1'en'%A3%20rate} will be decoded to {@code £ rate}.
*
- * Eg 3. {@code UTF-8''%c2%a3%20and%20%e2%82%ac%20rates} will be decoded to {@code £ and € rates}.
+ * Eg 3. {@code UTF-8''%c2%a3%20and%20%e2%82%ac%20rates} will be decoded to {@code £ and € rates}.
*
* @param encodedText Text to be decoded has a format of {@code