Upload mapping from interface does not work.

[GoogleCodeExporter]

The upload mapping dialog is not working, the form does not appear to be 
working.

Original issue reported on code.google.com by mat...@winters.org.nz on 7 Jan 2013 at 8:43

[GoogleCodeExporter]

There are multiple problems with the form.

- Form uses POST method to send data. Therefore, when server checks 
request.parameter(...) there will be none. Request.parameter("foo") will only 
find the parameter if sent in a GET request (ie, in the url: 
http://example.com/?foo=bar. Changing the form to use a GET request seems to 
help on this issue. Your curl upload script on 
http://www.winters.org.nz/acra-reporter uses a GET request too. Should really 
be using post, but then the server side needs to be changed.

- The server checks for authorization. The UI user is not sending this 
authentication, and the authentication credentials are different for proguard 
upload and user login. You might need to create to endpoints?

I hope that helps you get this fixed. I do not know app-engine, but found those 
problems by looking in the code and debugging it locally.

Original comment by kfo...@gmail.com on 4 Apr 2013 at 9:42

[GoogleCodeExporter]

I have not had any look at this since it didnt work, i only use automated 
uploads myself..

Do you think you can fix it? I welcome contributions (there has not been any 
yet), I can add users to the project ..

I remember following the example for the FileUpload 
(http://google-web-toolkit.googlecode.com/svn/javadoc/latest/index.html?overview
-summary.html) And did not get far - the servlet will accept get/post/put 
methods without issue.
curl seems to upload best using GET.

:)

Original comment by mat...@winters.org.nz on 4 Apr 2013 at 9:43

[GoogleCodeExporter]

It might be possible that I get the time to have a look at it, but I won't 
promise anything.

Original comment by kfo...@gmail.com on 5 Apr 2013 at 7:11

[GoogleCodeExporter]

any chances to get this fixed?

Original comment by sergei.l...@gmail.com on 29 May 2013 at 7:44

[GoogleCodeExporter]

I have had another look a few weeks ago, but there is no reason I can see for 
the form to not send the file over.. I dont know what is wrong..

I only use automated builds from jenkins which automatically uploads the map 
files, thats the best way to do it..

Original comment by mat...@winters.org.nz on 29 May 2013 at 8:23

[GoogleCodeExporter]

@mat, didn't you see posting in #1? I wrote that there we multiple problems:
- Server expects GET variables to be used, form sends POST variables (and your 
script at http://www.winters.org.nz/acra-reporter uses GET variables)

- Server checks credentials sent using HTTP-BASIC which is NOT sent by the form.

So in essence the form DOES send the file over but the server is NOT accepting 
it, as it only checks GET variables and the form uses POST. Even if GET was 
used on the form, the server would not accept the request as it does not 
contain HTTP-BASIC authentication. I would recommend using POST variables since 
calling the url changes something, and this is exactly what POST is used for 
(it has sideeffects). GET is used when no changes are made, and it is perfectly 
safe to perform the operation once again.

The HTTP RFC for POST (http://tools.ietf.org/html/rfc2616#section-9.5) states 
that "The POST method is used to ... Providing a block of data, such as the 
result of submitting a form, to a data-handling process". Also section 9.1.1 
Safe Methods (http://tools.ietf.org/html/rfc2616#section-9.1.1) describes that: 
"In particular, the convention has been established that the GET and HEAD 
methods SHOULD NOT have the significance of taking an action other than 
retrieval".

I just wanted to show that changing from GET to POST was not just a feeling I 
had, but is actually the recommended way.

Original comment by kfo...@gmail.com on 29 May 2013 at 9:15

[GoogleCodeExporter]

I tried all sorts of things, YES the form does use Post, and the receiving 
servelet can accept GET, POST and PUT.. The servelet works fine as uploading 
with curl works perfect. The authentication stuff just had not been implemented 
in the form as the form never sends the file.. Its easy to see that using the 
debugger..

When coding the form, I followed the GWT example, 
(http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/google/gwt/user
/client/ui/FileUpload.html) from what I can tell there is some bug in GWT..

I am happy for anyone to actually get it working, i can provide access to 
submit code back into the repository..

Original comment by mat...@winters.org.nz on 29 May 2013 at 9:35

[GoogleCodeExporter]

So, doing some digging on google e.t.c., I find that the FileUpload object does 
not actually do the upload, it only gets the filename..

Uploads it seems will have to go through the blob store, which GAE / GWT seem 
to handle better..

https://developers.google.com/appengine/docs/java/blobstore/overview#Uploading_a
_Blob
http://stackoverflow.com/questions/9812403/how-to-upload-file-on-gae-with-gwt?rq
=1

Original comment by mat...@winters.org.nz on 29 May 2013 at 10:01

[GoogleCodeExporter]

Okay. More research. When using multipart/form-data rewuest.getParameter does 
always return null. This is because the parameters are in the body of the http 
request and needs to be parsed. Apache has a nice library for it.

http://commons.apache.org/proper/commons-fileupload/

I do not believe you have to use the blobstore, as you have circumvented it 
with your script.

Original comment by kfo...@gmail.com on 29 May 2013 at 10:04

[GoogleCodeExporter]

I got it working with the commons-fileupload, had to use some other class 
instead of disk storage which i found on google-code..

Currently on v2 of the appengine..
http://2.wintersacrareporter.appspot.com/ give it a try, there is no 
"progress/wait" stuff yet but it will upload the map file.

Original comment by mat...@winters.org.nz on 30 May 2013 at 12:49

[GoogleCodeExporter]

It works for me :)

Original comment by kfo...@gmail.com on 30 May 2013 at 6:37

[GoogleCodeExporter]

I know you are not done yet, but I just reviewed the code and found a security 
hole. If I know someones app package, say x.y.z, and I have a mapping file, say 
map.txt, then I can upload a mapping file to that package by:

$ curl -F "version=2" -F "package=x.y.z" -F "filetoupload=@map.txt" 
http://2.wintersacrareporter.appspot.com/mappingupload

This is because no authentication is checked, yet.
I have verified that it works by uploading to my own account.
Just wanted to let you know.

Original comment by kfo...@gmail.com on 30 May 2013 at 6:56

[GoogleCodeExporter]

Have now implemented a simple check to make sure the input is coming from the 
form, this should be sufficient.

This is now live on the main app instance.

Original comment by mat...@winters.org.nz on 30 May 2013 at 10:47

• Changed state: Fixed