IMPORTANT: The following problem has been fixed in Struts version
2.3.24.From that version on, there is no need to escape any character.
Read more: JIRA Issue WW-4457.
I've configured the Struts2 FileUpload Interceptor to allow a whitelist of Content-Types.
This works correctly with any file matching the Content-Type specified, but it doesn't work with SVG files, which have MIME media type image/svg+xml.
Using this configuration:
@Action(value = "upload",
interceptorRefs = @InterceptorRef(
value = "defaultStack",
params = { "fileUpload.allowedTypes" , "application/pdf,"
+ "image/jpeg,"
+ "image/gif,"
+ "image/png,"
+ "image/svg+xml"
}))
and uploading a valid SVG file, I get the error message defined by the struts.messages.error.content.type.not.allowed property:
Content-Type not allowed: {0} "{1}" "{2}" {3}
where {3} is the Content-Type that the user is trying to upload;
Then for example:
Content-Type not allowed: myFile "Sample.svg" "upload__123__456__78.tmp" image/svg+xml
That is exactly the same Content-Type I defined in the allowedTypes whitelist.
Note that I use the regex Pattern Matcher, enabled with the following constant in struts.xml :
<constant name="struts.patternMatcher" value="regex" />
Why isn't it working, and how to make it work ?
The fileUpload interceptor uses PatternMatcher to check for allowed mime types. By default S2 uses WildcardHelper pattern matcher which will work with image/svg+xml.
By changing default pattern matcher to regex the fileUpload interceptor starts checking allowed types with regular expressions. And + is a special character in regex, so it must be escaped like that image/svg\\+xml in order to work.
Note: Changing default pattern matcher in this case introduces unexpected behavior and maybe should be reported as a bug.