The servlet engine only reads the uploaded byte stream and hands it to the servlet code (which presumably does nothing more than save it to disk). So I don't think there is much potential for trouble there.
If you want to make sure that it is a valid image file you'd have to try to open it, using javax.imageio.ImageIO or something similar, which is more problematic. You could do that under a ClassLoader and SecurityManager that implement very tight permissions (nothing more than reading a file from the directory where you store the uploaded files).
Ping & DNS - updated with new look and Ping home screen widget
wai meng chan
Joined: Jul 17, 2008
actually will need to process gif files which will be displayed on web page. Anyway to validate file types to be only gif files when they uploaded? [ July 28, 2008: Message edited by: wai meng chan ]
If you really want to check for virusues, you can delegate to the host machine for this. If the server your servlet container is on has an on access virus scanner, it is easy enough to persist the uploaded file to disk then read it back. If the virus scanner quarentines the file, you will not be able to read it. Its tricky to convey to the client what has gone wrong this way however. [ July 28, 2008: Message edited by: Paul Sturrock ]