Closed GoogleCodeExporter closed 8 years ago
There are multiple problems with the form.
- Form uses POST method to send data. Therefore, when server checks
request.parameter(...) there will be none. Request.parameter("foo") will only
find the parameter if sent in a GET request (ie, in the url:
http://example.com/?foo=bar. Changing the form to use a GET request seems to
help on this issue. Your curl upload script on
http://www.winters.org.nz/acra-reporter uses a GET request too. Should really
be using post, but then the server side needs to be changed.
- The server checks for authorization. The UI user is not sending this
authentication, and the authentication credentials are different for proguard
upload and user login. You might need to create to endpoints?
I hope that helps you get this fixed. I do not know app-engine, but found those
problems by looking in the code and debugging it locally.
Original comment by kfo...@gmail.com
on 4 Apr 2013 at 9:42
I have not had any look at this since it didnt work, i only use automated
uploads myself..
Do you think you can fix it? I welcome contributions (there has not been any
yet), I can add users to the project ..
I remember following the example for the FileUpload
(http://google-web-toolkit.googlecode.com/svn/javadoc/latest/index.html?overview
-summary.html) And did not get far - the servlet will accept get/post/put
methods without issue.
curl seems to upload best using GET.
:)
Original comment by mat...@winters.org.nz
on 4 Apr 2013 at 9:43
It might be possible that I get the time to have a look at it, but I won't
promise anything.
Original comment by kfo...@gmail.com
on 5 Apr 2013 at 7:11
any chances to get this fixed?
Original comment by sergei.l...@gmail.com
on 29 May 2013 at 7:44
I have had another look a few weeks ago, but there is no reason I can see for
the form to not send the file over.. I dont know what is wrong..
I only use automated builds from jenkins which automatically uploads the map
files, thats the best way to do it..
Original comment by mat...@winters.org.nz
on 29 May 2013 at 8:23
@mat, didn't you see posting in #1? I wrote that there we multiple problems:
- Server expects GET variables to be used, form sends POST variables (and your
script at http://www.winters.org.nz/acra-reporter uses GET variables)
- Server checks credentials sent using HTTP-BASIC which is NOT sent by the form.
So in essence the form DOES send the file over but the server is NOT accepting
it, as it only checks GET variables and the form uses POST. Even if GET was
used on the form, the server would not accept the request as it does not
contain HTTP-BASIC authentication. I would recommend using POST variables since
calling the url changes something, and this is exactly what POST is used for
(it has sideeffects). GET is used when no changes are made, and it is perfectly
safe to perform the operation once again.
The HTTP RFC for POST (http://tools.ietf.org/html/rfc2616#section-9.5) states
that "The POST method is used to ... Providing a block of data, such as the
result of submitting a form, to a data-handling process". Also section 9.1.1
Safe Methods (http://tools.ietf.org/html/rfc2616#section-9.1.1) describes that:
"In particular, the convention has been established that the GET and HEAD
methods SHOULD NOT have the significance of taking an action other than
retrieval".
I just wanted to show that changing from GET to POST was not just a feeling I
had, but is actually the recommended way.
Original comment by kfo...@gmail.com
on 29 May 2013 at 9:15
I tried all sorts of things, YES the form does use Post, and the receiving
servelet can accept GET, POST and PUT.. The servelet works fine as uploading
with curl works perfect. The authentication stuff just had not been implemented
in the form as the form never sends the file.. Its easy to see that using the
debugger..
When coding the form, I followed the GWT example,
(http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/google/gwt/user
/client/ui/FileUpload.html) from what I can tell there is some bug in GWT..
I am happy for anyone to actually get it working, i can provide access to
submit code back into the repository..
Original comment by mat...@winters.org.nz
on 29 May 2013 at 9:35
So, doing some digging on google e.t.c., I find that the FileUpload object does
not actually do the upload, it only gets the filename..
Uploads it seems will have to go through the blob store, which GAE / GWT seem
to handle better..
https://developers.google.com/appengine/docs/java/blobstore/overview#Uploading_a
_Blob
http://stackoverflow.com/questions/9812403/how-to-upload-file-on-gae-with-gwt?rq
=1
Original comment by mat...@winters.org.nz
on 29 May 2013 at 10:01
Okay. More research. When using multipart/form-data rewuest.getParameter does
always return null. This is because the parameters are in the body of the http
request and needs to be parsed. Apache has a nice library for it.
http://commons.apache.org/proper/commons-fileupload/
I do not believe you have to use the blobstore, as you have circumvented it
with your script.
Original comment by kfo...@gmail.com
on 29 May 2013 at 10:04
I got it working with the commons-fileupload, had to use some other class
instead of disk storage which i found on google-code..
Currently on v2 of the appengine..
http://2.wintersacrareporter.appspot.com/ give it a try, there is no
"progress/wait" stuff yet but it will upload the map file.
Original comment by mat...@winters.org.nz
on 30 May 2013 at 12:49
It works for me :)
Original comment by kfo...@gmail.com
on 30 May 2013 at 6:37
I know you are not done yet, but I just reviewed the code and found a security
hole. If I know someones app package, say x.y.z, and I have a mapping file, say
map.txt, then I can upload a mapping file to that package by:
$ curl -F "version=2" -F "package=x.y.z" -F "filetoupload=@map.txt"
http://2.wintersacrareporter.appspot.com/mappingupload
This is because no authentication is checked, yet.
I have verified that it works by uploading to my own account.
Just wanted to let you know.
Original comment by kfo...@gmail.com
on 30 May 2013 at 6:56
Have now implemented a simple check to make sure the input is coming from the
form, this should be sufficient.
This is now live on the main app instance.
Original comment by mat...@winters.org.nz
on 30 May 2013 at 10:47
Original issue reported on code.google.com by
mat...@winters.org.nz
on 7 Jan 2013 at 8:43