修复社区版上传可能存在XSS问题

pom.xml

@@ -10,7 +10,7 @@
     </parent>
     <groupId>net.diaowen</groupId>
     <artifactId>dwsurvey-oss-vue</artifactId>
-    <version>v.5.3.0-Beta</version>
+    <version>v.5.4.0-Beta</version>
     <packaging>jar</packaging>
     <name>dwsurvey</name>
     <description>DWSurvey project for Spring Boot</description>
@@ -331,6 +331,13 @@
             <version>1.21</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.apache.tika/tika-core -->
+        <dependency>
+            <groupId>org.apache.tika</groupId>
+            <artifactId>tika-core</artifactId>
+            <version>2.4.1</version>
+        </dependency>
+
     </dependencies>
 
     <build>

src/main/java/com/baidu/ueditor/ActionEnter.java

@@ -91,6 +91,7 @@ public class ActionEnter {
 				break;
 
 		}
+		System.out.println("upload state:"+state.toJSONString());
 
 		return state.toJSONString();
 

src/main/java/com/baidu/ueditor/define/BaseState.java

@@ -1,5 +1,6 @@
 package com.baidu.ueditor.define;
 
+import java.io.File;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
@@ -10,67 +11,74 @@ public class BaseState implements State {
 
 	private boolean state = false;
 	private String info = null;
-	
+
 	private Map<String, String> infoMap = new HashMap<String, String>();
-	
+
 	public BaseState () {
 		this.state = true;
 	}
-	
+
 	public BaseState ( boolean state ) {
 		this.setState( state );
 	}
-	
+
 	public BaseState ( boolean state, String info ) {
 		this.setState( state );
 		this.info = info;
 	}
-	
+
 	public BaseState ( boolean state, int infoCode ) {
 		this.setState( state );
 		this.info = AppInfo.getStateInfo( infoCode );
 	}
-	
+
+	public BaseState ( boolean state, int infoCode , File tempFile) {
+		this.setState( state );
+		this.info = AppInfo.getStateInfo( infoCode );
+		this.tmpFile = tempFile;
+	}
+
+
 	public boolean isSuccess () {
 		return this.state;
 	}
-	
+
 	public void setState ( boolean state ) {
 		this.state = state;
 	}
-	
+
 	public void setInfo ( String info ) {
 		this.info = info;
 	}
-	
+
 	public void setInfo ( int infoCode ) {
 		this.info = AppInfo.getStateInfo( infoCode );
 	}
-	
+
 	@Override
 	public String toJSONString() {
 		return this.toString();
 	}
-	
+
 	public String toString () {
-		
+
 		String key = null;
 		String stateVal = this.isSuccess() ? AppInfo.getStateInfo( AppInfo.SUCCESS ) : this.info;
-		
+
 		StringBuilder builder = new StringBuilder();
-		
+
 		builder.append( "{\"state\": \"" + stateVal + "\"" );
-		
+
 		Iterator<String> iterator = this.infoMap.keySet().iterator();
-		
+
 		while ( iterator.hasNext() ) {
-			
+
 			key = iterator.next();
-			
+
 			builder.append( ",\"" + key + "\": \"" + this.infoMap.get(key) + "\"" );
-			
+
 		}
-		
+
 		builder.append( "}" );
 
 		return Encoder.toUnicode( builder.toString() );
@@ -87,4 +95,13 @@ public class BaseState implements State {
 		this.putInfo(name, val+"");
 	}
 
+	private File tmpFile;
+
+	public File getTmpFile() {
+		return tmpFile;
+	}
+
+	public void setTmpFile(File tmpFile) {
+		this.tmpFile = tmpFile;
+	}
 }

src/main/java/com/baidu/ueditor/upload/StorageManager.java

@@ -6,6 +6,7 @@ import com.baidu.ueditor.define.State;
 
 import java.io.*;
 
+import net.diaowen.common.plugs.file.FileMagicUtils;
 import org.apache.commons.io.FileUtils;
 
 public class StorageManager {
@@ -15,6 +16,11 @@ public class StorageManager {
 	}
 
 	public static State saveBinaryFile(byte[] data, String path) {
+
+		if(!FileMagicUtils.isUserUpFileType(data,path.substring(path.lastIndexOf(".")))){
+			return new BaseState(false, AppInfo.NOT_ALLOW_FILE_TYPE);
+		}
+
 		File file = new File(path);
 
 		State state = valid(file);
@@ -30,6 +36,7 @@ public class StorageManager {
 			bos.flush();
 			bos.close();
 		} catch (IOException ioe) {
+			ioe.printStackTrace();
 			return new BaseState(false, AppInfo.IO_ERROR);
 		}
 
@@ -41,71 +48,28 @@ public class StorageManager {
 
 	public static State saveFileByInputStream(InputStream is, String path,
 			long maxSize) {
-		State state = null;
-
-		File tmpFile = getTmpFile();
-
-		byte[] dataBuf = new byte[ 2048 ];
-		BufferedInputStream bis = new BufferedInputStream(is, StorageManager.BUFFER_SIZE);
-
-		try {
-			BufferedOutputStream bos = new BufferedOutputStream(
-					new FileOutputStream(tmpFile), StorageManager.BUFFER_SIZE);
-
-			int count = 0;
-			while ((count = bis.read(dataBuf)) != -1) {
-				bos.write(dataBuf, 0, count);
-			}
-			bos.flush();
-			bos.close();
-
-			if (tmpFile.length() > maxSize) {
-				tmpFile.delete();
-				return new BaseState(false, AppInfo.MAX_SIZE);
-			}
-
+		BaseState validateState = isUserUpFileType(is,path.substring(path.lastIndexOf(".")));
+		if(!validateState.isSuccess()) return validateState;
+		State state = new BaseState(false, AppInfo.IO_ERROR);
+		File tmpFile = validateState.getTmpFile();
+		if(tmpFile!=null){
 			state = saveTmpFile(tmpFile, path);
-
-			if (!state.isSuccess()) {
-				tmpFile.delete();
-			}
-
+			tmpFile.delete();
 			return state;
-
-		} catch (IOException e) {
 		}
-		return new BaseState(false, AppInfo.IO_ERROR);
+		return state;
 	}
 
 	public static State saveFileByInputStream(InputStream is, String path) {
-		State state = null;
-
-		File tmpFile = getTmpFile();
-
-		byte[] dataBuf = new byte[ 2048 ];
-		BufferedInputStream bis = new BufferedInputStream(is, StorageManager.BUFFER_SIZE);
-
-		try {
-			BufferedOutputStream bos = new BufferedOutputStream(
-					new FileOutputStream(tmpFile), StorageManager.BUFFER_SIZE);
-
-			int count = 0;
-			while ((count = bis.read(dataBuf)) != -1) {
-				bos.write(dataBuf, 0, count);
-			}
-			bos.flush();
-			bos.close();
-
+		BaseState validateState = isUserUpFileType(is,path.substring(path.lastIndexOf(".")));
+		if(!validateState.isSuccess()) return validateState;
+		State state = new BaseState(false, AppInfo.IO_ERROR);
+		File tmpFile = validateState.getTmpFile();
+		if(tmpFile!=null){
 			state = saveTmpFile(tmpFile, path);
-
-			if (!state.isSuccess()) {
-				tmpFile.delete();
-			}
-
 			return state;
-		} catch (IOException e) {
 		}
-		return new BaseState(false, AppInfo.IO_ERROR);
+		return state;
 	}
 
 	private static File getTmpFile() {
@@ -124,6 +88,7 @@ public class StorageManager {
 		try {
 			FileUtils.moveFile(tmpFile, targetFile);
 		} catch (IOException e) {
+			e.printStackTrace();
 			return new BaseState(false, AppInfo.IO_ERROR);
 		}
 
@@ -148,4 +113,29 @@ public class StorageManager {
 		return new BaseState(true);
 	}
 
+	public static BaseState isUserUpFileType(InputStream is,String fileSuffix) {
+		File tmpFile = getTmpFile();
+		byte[] dataBuf = new byte[ 2048 ];
+		BufferedInputStream bis = new BufferedInputStream(is, StorageManager.BUFFER_SIZE);
+		try {
+			BufferedOutputStream bos = new BufferedOutputStream(
+					new FileOutputStream(tmpFile), StorageManager.BUFFER_SIZE);
+			int count = 0;
+			while ((count = bis.read(dataBuf)) != -1) {
+				bos.write(dataBuf, 0, count);
+			}
+			bis.close();
+			bos.flush();
+			bos.close();
+			if(!FileMagicUtils.isUserUpFileType(tmpFile,fileSuffix)){
+				tmpFile.delete();
+				return new BaseState(false, AppInfo.NOT_ALLOW_FILE_TYPE);
+			}
+//			tmpFile.delete();
+		} catch (IOException e) {
+			e.printStackTrace();
+			return new BaseState(false, AppInfo.IO_ERROR);
+		}
+		return new BaseState(true, AppInfo.SUCCESS, tmpFile);
+	}
 }

src/main/java/net/diaowen/common/plugs/file/FileMagic.java

@@ -0,0 +1,102 @@
+package net.diaowen.common.plugs.file;
+
+
+public enum  FileMagic {
+    JPG("JPG",".jpg"),//JPEG
+    JPEG("JPEG",".jpeg"),//JPEG
+    PNG("PNG",".png"),//PNG
+    GIF("GIF",".gif"),//GIF
+    TIFF("TIF",".tif"),//TIFF
+    BMP("BMP",".bmp"),//Windows bitmap
+    DWG("DWG", ".dwg"),//CAD
+    PSD("PSD", ".psd"),//Adobe Photoshop
+    RTF("RTF", ".rtf"),//Rich Text Format
+    TXT("TXT", ".txt"),//txt
+    XML("XML", ".xml"),//XML
+    HTML("HTML", ".html"),//HTML
+    EML("EML", ".eml"),//Email
+    DBX("DBX", ".dbx"),//Outlook Express
+    OLE2("OLE2",".doc,.xls,.dot,.ppt,.xla,.ppa,.pps,.pot,.msi,.sdw,.db"),//
+    PPT("PPT", ".ppt"),//Microsoft 2003 Word
+    XLS("XLS", ".xls"),//Microsoft 2003 Word
+    DOC("DOC", ".doc"),//Microsoft 2003 Excel
+    PPTX("PPTX", ".pptx"),//Microsoft 2007 ppt
+    DOCX("DOCX", ".docx"),//Microsoft 2007 Word
+    XLSX("XLSX", ".xlsx"),//Microsoft 2007 Excel
+    MDB("MDB",".mdb"),//Microsoft Acces
+    WPB("WPB", ".wpd"),//Word Perfect
+    EPS("EPS", ".eps"),//Postscript
+    PS("PS", ".ps"),//Postscript
+    PDF("PDF", ".pdf"),//Adobe Acrobat
+    QDF("qdf", ".qdf"),//Quicken
+    QDB("qbb", ".qdb"),//QuickBooks Backup
+    PWL("PWL", ".pwl"),//Windows Password
+    ZIP("ZIP", ".zip"),//ZIP
+    RAR("RAR", ".rar"),//ARAR Archive
+    Z7Z("7Z", ".7z"),//ARAR Archive
+    WAV("WAV", ".wav"),//WAVE
+    AVI("AVI", ".avi"),//AVI
+    RAM("RAM", ".ram"),//Real Audio
+    RM("RM", ".rm"),//Real Media
+    RMVB("RMVB", ".rmvb"),//Real Media
+    MPG("MPG", ".mpg"),//MPEG
+    MOV("MOV", ".mov"),//Quicktime
+    ASF("ASF", ".asf"),//Windows Media
+    ARJ("ARJ", ".arj"),//ARJ Archive
+    MID("MID", ".mid"),//MIDI
+    MP4("MP4", ".mp4"),//MP4
+    MP3("MP3", ".mp3"),//MP3
+    FLV("FLV", ".flv"),//FLV
+    GZ("GZ", ".gz"),//
+    CSS("CSS", ".css"),//CSS
+    JS("JS", ".js"),//JS
+    VSD("VSD", ".vsd"),//Visio
+    WPS("WPS", ".wps,.et,.dps"),//WPS
+    TORRENT("TORRENT", ".torrent"),
+    JSP("JSP", ".jsp"),//JSP
+    JAVA("JAVA", ".java"),//JAVA
+    CLASS("CLASS", ".class"),//CLASS
+    JAR("JAR", ".jar"),//JAR
+    MF("MF", ".mf"),//MF
+    EXE("EXE", ".exe"),//EXE
+    ELF("ELF", ".elf"),//ELF
+    WK1("WK1", ".wk1"),//Lotus 123 v1
+    WK3("WK3", ".vk3"),//Lotus 123 v3
+    WK4("WK4", ".vk4"),//Lotus 123 v4
+    LWP("LWP", ".lwp"),//Lotus WordPro v9
+    SLY("SLY", ".sly,.srt,.slt,.sly"),
+    UNKNOWN("", "","");
+
+    static final int MAX_PATTERN_LENGTH = 44;
+
+    //文件类型
+    private String fileType;
+    //文件类型对应的魔数, 留着自定义补充验证类型用
+    private String fileMagicCode;
+    //文件后缀
+    private String fileSuffix;
+
+    private FileMagic(String fileType,String fileSuffix) {
+        this.fileType = fileType;
+        this.fileSuffix = fileSuffix;
+    }
+
+    private FileMagic(String fileType,String fileMagicCode,String fileSuffix) {
+        this.fileType = fileType;
+        this.fileMagicCode = fileMagicCode;
+        this.fileSuffix = fileSuffix;
+    }
+
+    public String getFileType() {
+        return fileType;
+    }
+
+    public String getFileMagicCode() {
+        return fileMagicCode;
+    }
+
+    public String getFileSuffix() {
+        return fileSuffix;
+    }
+
+}

src/main/java/net/diaowen/common/plugs/file/FileMagicUtils.java

@@ -0,0 +1,112 @@
+package net.diaowen.common.plugs.file;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class FileMagicUtils {
+
+    //非登录用户能够上传的文件类型
+    public static FileMagic[] anonUpFileType() {
+        return new FileMagic[]{FileMagic.PNG,FileMagic.JPG,FileMagic.JPEG,FileMagic.GIF,
+                FileMagic.TXT,FileMagic.PDF,
+                FileMagic.XLSX,FileMagic.XLS,FileMagic.DOC,FileMagic.DOCX,FileMagic.PPT,FileMagic.PPTX,
+                FileMagic.ZIP,FileMagic.RAR,FileMagic.Z7Z};
+    }
+
+    //登录用户能够上传的文件类型
+    public static FileMagic[] userUpFileType() {
+        return new FileMagic[]{FileMagic.PNG,FileMagic.JPG,FileMagic.JPEG,FileMagic.GIF,
+                FileMagic.TXT,FileMagic.PDF,
+                FileMagic.XLSX,FileMagic.XLS,FileMagic.DOC,FileMagic.DOCX,FileMagic.PPT,FileMagic.PPTX,
+                FileMagic.ZIP,FileMagic.RAR,FileMagic.Z7Z};
+    }
+
+    //根据文件获取对应的文件类型
+    public static FileMagic getFileMagic(File inp, String fileSuffix) throws Exception {
+        FileInputStream fis = new FileInputStream(inp);
+        return getFileMagic(fis,fileSuffix);
+    }
+
+    //切换到使用最新的tika验测
+    public static FileMagic getFileMagic(byte[] bytes,String fileName) throws IOException{
+        String mineType = TikaFileUtils.mimeType(bytes,fileName);
+        if(mineType!=null){
+            FileMagic[] fileMagics = FileMagic.values();
+            int fileMagicLength = fileMagics.length;
+            for(int i = 0; i < fileMagicLength; ++i) {
+                FileMagic fm = fileMagics[i];
+                String fileSuffix = fm.getFileSuffix().toLowerCase();
+                if (fileSuffix.indexOf(mineType.toLowerCase())>=0) {
+                    return fm;
+                }
+            }
+        }
+        return FileMagic.UNKNOWN;
+    }
+
+    //切换到使用最新的tika验测
+    public static FileMagic getFileMagic(InputStream fis, String fileName) throws IOException{
+        String mineType = TikaFileUtils.mimeType(fis,fileName);
+        if(mineType!=null){
+            FileMagic[] fileMagics = FileMagic.values();
+            int fileMagicLength = fileMagics.length;
+            for(int i = 0; i < fileMagicLength; ++i) {
+                FileMagic fm = fileMagics[i];
+                String fileSuffix = fm.getFileSuffix().toLowerCase();
+                if (fileSuffix.indexOf(mineType.toLowerCase())>=0) {
+                    return fm;
+                }
+            }
+        }
+        return FileMagic.UNKNOWN;
+    }
+
+    public static boolean isUserUpFileType(byte[] bytes, String suffix) {
+        try {
+            FileMagic fileMagic = getFileMagic(bytes,suffix);
+            if (isUserUpFileMagic(fileMagic)) return true;
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return false;
+    }
+
+    public static boolean isUserUpFileType(File file, String suffix) {
+        try {
+            FileMagic fileMagic = getFileMagic(file,suffix);
+            if (isUserUpFileMagic(fileMagic)) return true;
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return false;
+    }
+
+    public static boolean isUserUpFileType(InputStream inputStream, String suffix) {
+        try {
+            FileMagic fileMagic = getFileMagic(inputStream,suffix);
+            if (isUserUpFileMagic(fileMagic)) return true;
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return false;
+    }
+
+    /**
+     * 判断是否在登录用户可上传白名单
+     * @param fileMagic
+     * @return
+     */
+    public static boolean isUserUpFileMagic(FileMagic fileMagic) {
+        FileMagic[] fileMagics = userUpFileType();
+        for (FileMagic magic:fileMagics) {
+            if(magic == fileMagic){
+                return true;
+            }
+        }
+        return false;
+    }
+
+}

src/main/java/net/diaowen/common/plugs/file/TikaFileUtils.java

@@ -0,0 +1,68 @@
+package net.diaowen.common.plugs.file;
+
+import com.alibaba.fastjson.JSON;
+import org.apache.tika.Tika;
+import org.apache.tika.mime.MimeType;
+import org.apache.tika.mime.MimeTypeException;
+import org.apache.tika.mime.MimeTypes;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.List;
+
+public class TikaFileUtils {
+
+    public static String mimeType(byte[] bytes, String suffix) {
+        try {
+            Tika tika = new Tika();
+            String mimeTypeStr = tika.detect(bytes,suffix);
+            return getMimeType(mimeTypeStr, suffix);
+        } catch (MimeTypeException e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+
+    public static String mimeType(InputStream inputStream, String suffix) {
+        try {
+            Tika tika = new Tika();
+            String mimeTypeStr = tika.detect(inputStream,suffix);
+            return getMimeType(mimeTypeStr, suffix);
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (MimeTypeException e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+
+    private static String getMimeType(String mimeTypeStr, String suffix) throws MimeTypeException {
+        MimeTypes mimeTypes = MimeTypes.getDefaultMimeTypes();
+        MimeType mimeType = mimeTypes.forName(mimeTypeStr);
+        if(mimeType.getExtensions().stream().anyMatch(ext -> ext.equals(suffix))){
+            return suffix;
+        }
+        return null;
+    }
+
+    public static String getMimeType(InputStream inputStream, String suffix) {
+        try {
+            Tika tika = new Tika();
+            String mimeTypeStr = tika.detect(inputStream,suffix);
+            return getMimeType(mimeTypeStr);
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (MimeTypeException e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+
+    private static String getMimeType(String mimeTypeStr) throws MimeTypeException {
+        MimeTypes mimeTypes = MimeTypes.getDefaultMimeTypes();
+        MimeType mimeType = mimeTypes.forName(mimeTypeStr);
+        List<String> list = mimeType.getExtensions();
+        return JSON.toJSONString(list);
+    }
+
+}

src/main/java/net/diaowen/dwsurvey/controller/UploadController.java

@@ -1,10 +1,15 @@
 package net.diaowen.dwsurvey.controller;
 
+import net.diaowen.common.plugs.file.FileMagic;
+import net.diaowen.common.plugs.file.FileMagicUtils;
+import net.diaowen.common.plugs.file.TikaFileUtils;
 import net.diaowen.common.plugs.httpclient.HttpResult;
 import net.diaowen.common.utils.RandomUtils;
 import net.diaowen.dwsurvey.config.DWSurveyConfig;
 import net.diaowen.dwsurvey.common.FileMeta;
 import net.diaowen.dwsurvey.common.UpFileResult;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.FileCopyUtils;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -24,7 +29,7 @@ import java.util.*;
 @Controller
 @RequestMapping("/api/dwsurvey/up")
 public class UploadController {
-
+    private final Logger logger = LoggerFactory.getLogger(getClass());
     /**
      * 上传文件数据，安全存储
      * /WebRoot/WEB-INF/upfile
@@ -80,6 +85,12 @@ public class UploadController {
                 MultipartFile file = multiRequest.getFile(iter.next());
                 if(file != null){
 
+                    FileMagic fileMagic = FileMagicUtils.getFileMagic(file.getInputStream(),file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf(".")));
+                    if(!FileMagicUtils.isUserUpFileMagic(fileMagic)) {
+                        logger.warn("不支持类型 {} {}", fileMagic, file.getOriginalFilename());
+                        return HttpResult.FAILURE_MSG("不支持类型或类型不一致，实际类型为"+ TikaFileUtils.getMimeType(file.getInputStream(),file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."))));
+                    }
+
                     //取得当前上传文件的文件名称
                     String myFileName = file.getOriginalFilename();
                     //如果名称不为“”,说明该文件存在，否则说明该文件不存在
@@ -147,44 +158,55 @@ public class UploadController {
             dirFile.mkdirs();
         }
 
-        //1. build an iterator
-        Iterator<String> itr =  request.getFileNames();
-        MultipartFile mpf = null;
+        try{
+            //1. build an iterator
+            Iterator<String> itr =  request.getFileNames();
+            MultipartFile mpf = null;
 
-        //2. get each file
-        while(itr.hasNext()){
+            //2. get each file
+            while(itr.hasNext()){
 
-            //2.1 get next MultipartFile
-            mpf = request.getFile(itr.next());
+                //2.1 get next MultipartFile
+                mpf = request.getFile(itr.next());
 
-            //2.2 if files > 10 remove the first from the list
-            if(files.size() >= 10)
-                files.pop();
+                FileMagic fileMagic = FileMagicUtils.getFileMagic(mpf.getInputStream(),mpf.getOriginalFilename().substring(mpf.getOriginalFilename().lastIndexOf(".")));
+                if(!FileMagicUtils.isUserUpFileMagic(fileMagic)) {
+                    logger.warn("不支持类型 {} {}", fileMagic, mpf.getOriginalFilename());
+//                    return HttpResult.FAILURE_MSG("不支持类型或类型不一致，实际类型为"+ TikaFileUtils.getMimeType(mpf.getInputStream(),mpf.getOriginalFilename().substring(mpf.getOriginalFilename().lastIndexOf("."))));
+                    return files;
+                }
 
-            String fileName = mpf.getOriginalFilename();
-            fileName = fileName.toLowerCase();//6S兼容
-            String newFileName = rendomFileName(mpf);
+                //2.2 if files > 10 remove the first from the list
+                if(files.size() >= 10)
+                    files.pop();
 
-            //2.3 create new fileMeta
-            fileMeta = new FileMeta();
-            fileMeta.setFileName(fileName);
-            fileMeta.setNewFileName(newFileName);
-            fileMeta.setFileSize(mpf.getSize()/1024+" Kb");
-            fileMeta.setFileType(mpf.getContentType());
+                String fileName = mpf.getOriginalFilename();
+                fileName = fileName.toLowerCase();//6S兼容
+                String newFileName = rendomFileName(mpf);
 
-            try {
+                //2.3 create new fileMeta
+                fileMeta = new FileMeta();
+                fileMeta.setFileName(fileName);
+                fileMeta.setNewFileName(newFileName);
+                fileMeta.setFileSize(mpf.getSize()/1024+" Kb");
+                fileMeta.setFileType(mpf.getContentType());
+
+                try {
 //                fileMeta.setBytes(mpf.getBytes());
-                String filePath = savePath + newFileName;
-                fileMeta.setFilePath(filePath);
-                // copy file to local disk (make sure the path "e.g. D:/temp/files" exists)
-                FileCopyUtils.copy(mpf.getBytes(), new FileOutputStream(rootPath+filePath));
-
-            } catch (IOException e) {
-                // TODO Auto-generated catch block
-                e.printStackTrace();
+                    String filePath = savePath + newFileName;
+                    fileMeta.setFilePath(filePath);
+                    // copy file to local disk (make sure the path "e.g. D:/temp/files" exists)
+                    FileCopyUtils.copy(mpf.getBytes(), new FileOutputStream(rootPath+filePath));
+
+                } catch (IOException e) {
+                    // TODO Auto-generated catch block
+                    e.printStackTrace();
+                }
+                //2.4 add to files
+                files.add(fileMeta);
             }
-            //2.4 add to files
-            files.add(fileMeta);
+        }catch (Exception e){
+            e.printStackTrace();
         }
         // result will be like this
         // [{"fileName":"app_engine-85x77.png","fileSize":"8 Kb","fileType":"image/png"},...]