servlets - choose a filename for uploaded files

Question

I am interested in images but the question is quite general. I am doing it thusly :

private static final SecureRandom RANDOM = new SecureRandom();
private static final int FILENAMElENGTH = 73; // a guess
private static String nextId() { // synchronized ?
    return new BigInteger(FILENAMElENGTH, RANDOM).toString(32);
} // https://stackoverflow.com/a/41156/281545

Questions :

Are there pros and cons in storing the files with the session id + a timestamp ? Pros as in use this info later and cons as in security
Are there any standard (see servlet API or Java) way of generating a name ? Any standard practices ? Any container specific tips (glassfish and tomcat)

I understand that keeping the original filename, the username etc can lead to security holes

It all depends on what you're doing with these names. If you make the image public and it contains a user's session ID, then obviously anybody can get the session ID of another user and impersonate him. You could simply use a database sequence, and/or hash the contents of the file to generate unique names. Random is also fine, except it's random, and thus doesn't offer strong guarantees of uniqueness. — JB Nizet
@JBNizet: Are there any standard practices ? Like a method in the api ? What's a db sequence ? My use is save the picture and then display it via <img src="${sessionScope.photo.path}" /> things (which indeed display the session - ooops!) — Mr_and_Mrs_D
A db sequence is a database sequence. A database sequence is like a counter, but which is persistent, and can be shared by several threads or even applications, and will restart at the last value even if you shut down and restart your application. You ask the database for the next value, and it returns it. It's typically used to generate primary key values. No, there is no single standard practice to do what you want. — JB Nizet
@JBNizet: Could you post some code for getting such a sequence - say JDBC/MySQL (in an answer :) — Mr_and_Mrs_D
Unfortunately, MySQL doesn't have sequences. You can emulate them with auto_increment columns though. Google is your friend: "MySQL sequences". — JB Nizet

Mr_and_Mrs_D Mr_and_Mrs_D · Accepted Answer · 2013-11-07T14:15:29

static File getImageFile() throws IOException {
    return File.createTempFile("upload_", ".jpg", new File(upload_path));
}

// String filename = getImageFile().getName();

This is guaranteed to be unique (docs) - and it is not a tmp file at all (provided you have control to the upload_path, which must be a path to an existing directory (although the docs are not explicit about this)).

Obviously you should have a better way to specify the extension but this is another question.

No session ids, user input etc.

Got the idea from a BalusC blog post :

It is necessary to know the file upload location in the MultipartMap as well, because we can then make use of File#createTempFile() to create files with an unique filename to avoid them being overwritten by another file with a (by coincidence) same name. Once you have the uploaded file at hands in the servlet or bean, you can always make use of File#renameTo() to do a fast rename/move.

Notice that createTempFile used to be rather insecure before Java 6.11 (see here for an exposition and here for a general exposition of tmp files security). Also see this SO question - there is a window of vulnerability between file creation and opening. These issues however have nothing to do with filenames - still createTempFile is the only way to guarantee uniqueness (I hope you are using latest JDK, to avoid the predictable filenames createTempFile suffered from).

servlets - choose a filename for uploaded files

2 Answers