Fix BLOB insert from URL failing on root context-path#1119
Merged
iroqueta merged 2 commits intoJun 3, 2026
Conversation
When inserting a record whose BLOB/multimedia attribute is set from a URL,
setBLOBFile/setGXDbFileURI tried to strip the servlet context path from the
temp file name. For apps deployed at the root context-path ("/"),
getContextPath() returns "" (per servlet spec), so:
- fileName.startsWith("") is always true
- replaceFirst("","").substring(1) / substring(0+1) strips the first
character of the path (e.g. "PublicTempStorage\..." -> "ublicTempStorage\...")
The corrupted path is not found when the blob is read back, throwing
SQLException("The filename does not exists in url ...") and aborting the insert.
Guard the prefix strip so it only runs when the context path is non-empty
and the file name actually starts with it.
Also harden GXDBMSpostgresql error classification: ObjectLocked/
DuplicateKeyValue/ObjectNotFound called getSQLState()/getMessage().toLowerCase()
without a null check. A SQLException with a null SQLState (such as the one
above, built via new SQLException(msg)) caused a NullPointerException in the
error handler, masking the real error. Use null-safe helpers.
Collaborator
Cherry pick to beta success |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
replaceFirst() treats its argument as a regular expression, so using the context path as the pattern could misbehave if it contained regex metacharacters (flagged by CodeQL as regular expression injection). Since fileName.startsWith(ctxPath) is already checked, remove the prefix with a literal substring(ctxPath.length() + 1), matching what the non-web branch already does.
Collaborator
Cherry pick to beta success |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Inserting a record whose BLOB / multimedia attribute is set from a URL fails on apps deployed at the root context-path (
/).When binding the parameters,
setBLOBFile/setGXDbFileURItry to strip the servlet context path from the temp file name. For a root-context app,getContextPath()returns""(per servlet spec), so:fileName.startsWith("")is alwaystruereplaceFirst("", "").substring(1)(andsubstring(0 + 1)) strips the first character of the pathPublicTempStorage\3840px-rialto.jpg→ublicTempStorage\3840px-rialto.jpgThe corrupted path can't be found when the blob is read back, throwing
SQLException("The filename does not exists in url ...")and aborting the insert.The real error was additionally masked by a
NullPointerException:GXDBMSpostgresqlclassifies the SQLException viagetSQLState().toLowerCase()/getMessage().toLowerCase()without a null check, and the SQLException above (built withnew SQLException(msg)) has anullSQLState — so the error handler threw an NPE instead of surfacing the real message.Changes
GXPreparedStatement.java—setBLOBFile/setGXDbFileURIGXDBMSpostgresql.java—ObjectLocked/DuplicateKeyValue/ObjectNotFoundsafeSQLState(e)/safeMessage(e)helpers so a SQLException with anullSQLState/message no longer triggers an NPE in the error classifier (which was hiding the real error).How to reproduce
/).The filename does not exists in url ublicTempStorage\...(note the stripped first character).