fileUpload: Unable to upload a file without extension

[stolp]

1) Environment

• PrimeFaces version: 7.0.3
• Does it work on the newest released PrimeFaces version? No
• Affected browsers: All

2) Expected behavior

It should be possible to upload any existing file.

3) Actual behavior

Files without extensions cause a FacesExeption.

4) Steps to reproduce

Create a file named 'foobar' and try to upload it

Reason for this is the following code in FileUploadUtils.getValidFilename:

        String extension = FilenameUtils.EXTENSION_SEPARATOR_STR + FilenameUtils.getExtension(filename);

        if (extension.equals(FilenameUtils.EXTENSION_SEPARATOR_STR)) {
            throw new FacesException("File must have an extension");
        }

This seems to enforce the presence of a filename extension for later checks. I am unsure if this is really needed.

The most pressing problems are:

• A user of a primefaces based application is not aware that this restriction exists
• Any primefaces based application is not able to catch that exception properly

[tandraschko]

@cnsgithub can you assist?

[Rapster]

Indeed, no extension should be allowed. After having a look to FileUploadUtils, I think @cnsgithub mentionned https://github.com/augustd/owasp-java-fileio. It looks like there are all the utils we need here.

[hfluz]

One of my users reported this issue recently. It seems there not much I can do in my application, since some users don't even understand about file extensions and that sometimes their files don't have one. I didn't find a way to better handle the exception, it would be nice if it could at least return a validation message.

I thought about trying to write a PR, but I as it was already mentioned, the extension is used in other methods of FileUploadUtils and it might cause some side effects.

[melloware]

I think we should throw an exception. i know its used in a few place but if a file name is not valid we should let end users know.

[stolp]

I think you got this the wrong way.

There is absolutely no reason to not accept a filename without an extension for upload. It is perfectly valid, and especially common on Unix systems (README, Makefile etc.).

So I think an throwing an exception is the completely wrong solution here.

[tandraschko]

@stolp +1

[melloware]

@stolp there are two different issues here.

1. The fact that the FileUpload validator silently eats exception when a file name is bad is a bad user experience.

2. Correcting the ability to allow an extensionless file.

I think both issues need to be fixed.

[melloware]

Sorry as these 2 issues are related: #4843

[stolp]

@melloware I agree, the way exceptions are thrown and handled here is broken. Sorry for misunderstanding you here.

But in case of the issue here, the FacesExceptions thrown in getValidFilename should be omitted (as in the case of the empty extension) or at least be catched properly elsewhere in the component code (for the other cases present there).

[melloware]

Yep I am going to attempt to fix both issues.