PRODSEC-10332 backport to 23.N (#3445)

pom.xml

@@ -63,7 +63,7 @@
         <dependency.jackson.version>2.17.2</dependency.jackson.version>
         <dependency.cxf.version>4.1.0</dependency.cxf.version>
         <dependency.opencmis.version>1.0.0-jakarta-1</dependency.opencmis.version>
-        <dependency.webscripts.version>9.4</dependency.webscripts.version>
+        <dependency.webscripts.version>10.2</dependency.webscripts.version>
         <dependency.bouncycastle.version>1.78.1</dependency.bouncycastle.version>
         <dependency.mockito-core.version>5.14.1</dependency.mockito-core.version>
         <dependency.assertj.version>3.26.3</dependency.assertj.version>
@@ -439,8 +439,8 @@
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>
-                <artifactId>commons-fileupload2-jakarta</artifactId>
+                <artifactId>commons-fileupload2-jakarta-servlet6</artifactId>
-                <version>2.0.0-M1</version>
+                <version>2.0.0-M4</version>
             </dependency>
             <dependency>
                 <groupId>commons-net</groupId>

remote-api/src/main/java/org/alfresco/repo/web/scripts/transfer/PostContentCommandProcessor.java

@@ -28,11 +28,9 @@ package org.alfresco.repo.web.scripts.transfer;
 
 import jakarta.servlet.http.HttpServletRequest;
 
-import org.alfresco.service.cmr.transfer.TransferException;
-import org.alfresco.service.cmr.transfer.TransferReceiver;
 import org.apache.commons.fileupload2.core.FileItemInput;
 import org.apache.commons.fileupload2.core.FileItemInputIterator;
-import org.apache.commons.fileupload2.jakarta.JakartaServletFileUpload;
+import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.extensions.webscripts.Status;
@@ -41,6 +39,9 @@ import org.springframework.extensions.webscripts.WebScriptResponse;
 import org.springframework.extensions.webscripts.WrappingWebScriptRequest;
 import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
 
+import org.alfresco.service.cmr.transfer.TransferException;
+import org.alfresco.service.cmr.transfer.TransferReceiver;
+
 /**
  * This command processor is used to receive one or more content files for a given transfer.
  * 
@@ -50,9 +51,9 @@ import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest
 public class PostContentCommandProcessor implements CommandProcessor
 {
     private TransferReceiver receiver;
-    
+
     private static final String MSG_CAUGHT_UNEXPECTED_EXCEPTION = "transfer_service.receiver.caught_unexpected_exception";
-    
+
     private static Log logger = LogFactory.getLog(PostContentCommandProcessor.class);
 
     /**
@@ -64,12 +65,9 @@ public class PostContentCommandProcessor implements CommandProcessor
         this.receiver = receiver;
     }
 
-    /*
+    /* (non-Javadoc)
-     * (non-Javadoc)
      * 
-     * @see org.alfresco.repo.web.scripts.transfer.CommandProcessor#process(org.alfresco.web.scripts.WebScriptRequest,
+     * @see org.alfresco.repo.web.scripts.transfer.CommandProcessor#process(org.alfresco.web.scripts.WebScriptRequest, org.alfresco.web.scripts.WebScriptResponse) */
-     * org.alfresco.web.scripts.WebScriptResponse)
-     */
     public int process(WebScriptRequest req, WebScriptResponse resp)
     {
         logger.debug("post content start");
@@ -91,8 +89,7 @@ public class PostContentCommandProcessor implements CommandProcessor
             {
                 current = null;
             }
-        }
+        } while (current != null);
-        while (current != null);
         if (webScriptServletRequest == null)
         {
             resp.setStatus(Status.STATUS_BAD_REQUEST);
@@ -101,7 +98,7 @@ public class PostContentCommandProcessor implements CommandProcessor
 
         HttpServletRequest servletRequest = webScriptServletRequest.getHttpServletRequest();
 
-        //Read the transfer id from the request
+        // Read the transfer id from the request
         String transferId = servletRequest.getParameter("transferId");
 
         if ((transferId == null) || !JakartaServletFileUpload.isMultipartContent(servletRequest))
@@ -124,34 +121,34 @@ public class PostContentCommandProcessor implements CommandProcessor
                     logger.debug("got content Mime Part : " + name);
                     receiver.saveContent(transferId, item.getName(), item.getInputStream());
                 }
-            }            
+            }
-            
+
-//            WebScriptServletRequest alfRequest = (WebScriptServletRequest)req;
+            // WebScriptServletRequest alfRequest = (WebScriptServletRequest)req;
-//            String[] names = alfRequest.getParameterNames();
+            // String[] names = alfRequest.getParameterNames();
-//            for(String name : names)
+            // for(String name : names)
-//            {
+            // {
-//                FormField item = alfRequest.getFileField(name);
+            // FormField item = alfRequest.getFileField(name);
-//                
+            //
-//                if(item != null)
+            // if(item != null)
-//                {
+            // {
-//                    logger.debug("got content Mime Part : " + name);
+            // logger.debug("got content Mime Part : " + name);
-//                    receiver.saveContent(transferId, item.getName(), item.getInputStream());
+            // receiver.saveContent(transferId, item.getName(), item.getInputStream());
-//                }
+            // }
-//                else
+            // else
-//                {
+            // {
-//                    //TODO - should this be an exception?
+            // //TODO - should this be an exception?
-//                    logger.debug("Unable to get content for Mime Part : " + name);
+            // logger.debug("Unable to get content for Mime Part : " + name);
-//                }
+            // }
-//            }
+            // }
-            
+
             logger.debug("success");
-            
+
             resp.setStatus(Status.STATUS_OK);
-        } 
+        }
         catch (Exception ex)
         {
             logger.debug("exception caught", ex);
-            if(transferId != null)
+            if (transferId != null)
             {
                 logger.debug("ending transfer", ex);
                 receiver.end(transferId);

remote-api/src/main/java/org/alfresco/repo/web/scripts/transfer/PostSnapshotCommandProcessor.java

@@ -27,15 +27,11 @@
 package org.alfresco.repo.web.scripts.transfer;
 
 import java.io.OutputStream;
-
 import jakarta.servlet.http.HttpServletRequest;
 
-import org.alfresco.repo.transfer.TransferCommons;
-import org.alfresco.service.cmr.transfer.TransferException;
-import org.alfresco.service.cmr.transfer.TransferReceiver;
 import org.apache.commons.fileupload2.core.FileItemInput;
 import org.apache.commons.fileupload2.core.FileItemInputIterator;
-import org.apache.commons.fileupload2.jakarta.JakartaServletFileUpload;
+import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.extensions.webscripts.Status;
@@ -44,6 +40,10 @@ import org.springframework.extensions.webscripts.WebScriptResponse;
 import org.springframework.extensions.webscripts.WrappingWebScriptRequest;
 import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
 
+import org.alfresco.repo.transfer.TransferCommons;
+import org.alfresco.service.cmr.transfer.TransferException;
+import org.alfresco.service.cmr.transfer.TransferReceiver;
+
 /**
  * This command processor is used to receive the snapshot for a given transfer.
  * 
@@ -53,17 +53,17 @@ import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest
 public class PostSnapshotCommandProcessor implements CommandProcessor
 {
     private TransferReceiver receiver;
-    
+
     private static Log logger = LogFactory.getLog(PostSnapshotCommandProcessor.class);
 
     private static final String MSG_CAUGHT_UNEXPECTED_EXCEPTION = "transfer_service.receiver.caught_unexpected_exception";
 
     /* (non-Javadoc)
-     * @see org.alfresco.repo.web.scripts.transfer.CommandProcessor#process(org.alfresco.web.scripts.WebScriptRequest, org.alfresco.web.scripts.WebScriptResponse)
+     * 
-     */
+     * @see org.alfresco.repo.web.scripts.transfer.CommandProcessor#process(org.alfresco.web.scripts.WebScriptRequest, org.alfresco.web.scripts.WebScriptResponse) */
     public int process(WebScriptRequest req, WebScriptResponse resp)
     {
-        
+
         int result = Status.STATUS_OK;
         // Unwrap to a WebScriptServletRequest if we have one
         WebScriptServletRequest webScriptServletRequest = null;
@@ -83,45 +83,44 @@ public class PostSnapshotCommandProcessor implements CommandProcessor
             {
                 current = null;
             }
-        }
+        } while (current != null);
-        while (current != null);
+        if (webScriptServletRequest == null)
-        if (webScriptServletRequest == null) 
         {
             logger.debug("bad request, not assignable from");
             resp.setStatus(Status.STATUS_BAD_REQUEST);
             return Status.STATUS_BAD_REQUEST;
         }
-                
+
-        //We can't use the WebScriptRequest version of getParameter, since that may cause the content stream 
+        // We can't use the WebScriptRequest version of getParameter, since that may cause the content stream
-        //to be parsed. Get hold of the raw HttpServletRequest and work with that.
+        // to be parsed. Get hold of the raw HttpServletRequest and work with that.
         HttpServletRequest servletRequest = webScriptServletRequest.getHttpServletRequest();
-        
+
-        //Read the transfer id from the request
+        // Read the transfer id from the request
         String transferId = servletRequest.getParameter("transferId");
-        
+
         if ((transferId == null) || !JakartaServletFileUpload.isMultipartContent(servletRequest))
         {
             logger.debug("bad request, not multipart");
             resp.setStatus(Status.STATUS_BAD_REQUEST);
             return Status.STATUS_BAD_REQUEST;
         }
-        
+
-        try 
+        try
         {
             logger.debug("about to upload manifest file");
 
             JakartaServletFileUpload upload = new JakartaServletFileUpload();
             FileItemInputIterator iter = upload.getItemIterator(servletRequest);
-            while (iter.hasNext()) 
+            while (iter.hasNext())
             {
                 FileItemInput item = iter.next();
-                if (!item.isFormField() && TransferCommons.PART_NAME_MANIFEST.equals(item.getFieldName())) 
+                if (!item.isFormField() && TransferCommons.PART_NAME_MANIFEST.equals(item.getFieldName()))
                 {
                     logger.debug("got manifest file");
                     receiver.saveSnapshot(transferId, item.getInputStream());
                 }
             }
-          
+
             logger.debug("success");
             resp.setStatus(Status.STATUS_OK);
 
@@ -133,10 +132,10 @@ public class PostSnapshotCommandProcessor implements CommandProcessor
                 receiver.generateRequsite(transferId, out);
             }
         }
-        catch (Exception ex) 
+        catch (Exception ex)
         {
             logger.debug("exception caught", ex);
-            if(transferId != null)
+            if (transferId != null)
             {
                 logger.debug("ending transfer", ex);
                 receiver.end(transferId);
@@ -151,7 +150,8 @@ public class PostSnapshotCommandProcessor implements CommandProcessor
     }
 
     /**
-     * @param receiver the receiver to set
+     * @param receiver
+     *            the receiver to set
      */
     public void setReceiver(TransferReceiver receiver)
     {

repository/pom.xml

@@ -85,7 +85,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
-            <artifactId>commons-fileupload2-jakarta</artifactId>
+            <artifactId>commons-fileupload2-jakarta-servlet6</artifactId>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>