Class DiskFileItemFactory

java.lang.Object
org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory
All Implemented Interfaces:
FileItemFactory

public class DiskFileItemFactory extends Object implements FileItemFactory

The default FileItemFactory implementation. This implementation creates FileItem instances which keep their content either in memory, for smaller items, or in a temporary file on disk, for larger items. The size threshold, above which content will be stored on disk, is configurable, as is the directory in which temporary files will be created.

If not otherwise configured, the default configuration values are as follows:

  • Size threshold is 10 KiB.
  • Repository is the system default temp directory, as returned by System.getProperty("java.io.tmpdir").

NOTE: Files are created in the system default temp directory with predictable names. This means that a local attacker with write access to that directory can perform a TOUTOC attack to replace any uploaded file with a file of the attackers choice. The implications of this will depend on how the uploaded file is used but could be significant. When using this implementation in an environment with local, untrusted users, setRepository(File) MUST be used to configure a repository location that is not publicly writable. In a Servlet container the location identified by the ServletContext attribute jakarta.servlet.context.tempdir may be used.

Temporary files, which are created for file items, will be deleted when the associated request is recycled.

Since:
FileUpload 1.1