DecodeServlet.java
/*
* Copyright 2008 ZXing authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.google.zxing.web;
import com.google.zxing.BarcodeFormat;
import com.google.zxing.BinaryBitmap;
import com.google.zxing.ChecksumException;
import com.google.zxing.DecodeHintType;
import com.google.zxing.FormatException;
import com.google.zxing.LuminanceSource;
import com.google.zxing.MultiFormatReader;
import com.google.zxing.NotFoundException;
import com.google.zxing.Reader;
import com.google.zxing.ReaderException;
import com.google.zxing.Result;
import com.google.zxing.client.j2se.BufferedImageLuminanceSource;
import com.google.zxing.client.j2se.ImageReader;
import com.google.zxing.common.GlobalHistogramBinarizer;
import com.google.zxing.common.HybridBinarizer;
import com.google.zxing.multi.GenericMultipleBarcodeReader;
import com.google.zxing.multi.MultipleBarcodeReader;
import com.google.common.io.Resources;
import com.google.common.net.HttpHeaders;
import com.google.common.net.MediaType;
import java.awt.image.BufferedImage;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.EnumSet;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Timer;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.imageio.ImageIO;
import jakarta.servlet.RequestDispatcher;
import jakarta.servlet.ServletConfig;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.MultipartConfig;
import jakarta.servlet.annotation.WebInitParam;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.Part;
/**
* {@link HttpServlet} which decodes images containing barcodes. Given a URL, it will
* retrieve the image and decode it. It can also process image files uploaded via POST.
*
* @author Sean Owen
*/
@MultipartConfig(
maxFileSize = 1L << 26, // ~64MB
maxRequestSize = 1L << 26, // ~64MB
fileSizeThreshold = 1 << 23, // ~8MB
location = "/tmp")
@WebServlet(value = "/w/decode", loadOnStartup = 1, initParams = {
@WebInitParam(name = "maxAccessPerTime", value = "120"),
@WebInitParam(name = "accessTimeSec", value = "120"),
@WebInitParam(name = "maxEntries", value = "100000")
})
public final class DecodeServlet extends HttpServlet {
private static final Logger log = Logger.getLogger(DecodeServlet.class.getName());
private static final Pattern WHITESPACE = Pattern.compile("\\s+");
// No real reason to let people upload more than ~64MB
private static final long MAX_IMAGE_SIZE = 1L << 26;
// No real reason to deal with more than ~32 megapixels
private static final int MAX_PIXELS = 1 << 25;
private static final Map<DecodeHintType,Object> HINTS;
private static final Map<DecodeHintType,Object> HINTS_PURE;
static {
HINTS = new EnumMap<>(DecodeHintType.class);
HINTS.put(DecodeHintType.TRY_HARDER, Boolean.TRUE);
HINTS.put(DecodeHintType.POSSIBLE_FORMATS, EnumSet.allOf(BarcodeFormat.class));
HINTS_PURE = new EnumMap<>(HINTS);
HINTS_PURE.put(DecodeHintType.PURE_BARCODE, Boolean.TRUE);
}
private Collection<String> blockedURLSubstrings;
private Timer timer;
private DoSTracker destHostTracker;
@Override
public void init(ServletConfig servletConfig) throws ServletException {
Logger logger = Logger.getLogger("com.google.zxing");
ServletContext context = servletConfig.getServletContext();
logger.addHandler(new ServletContextLogHandler(context));
URL blockURL = context.getClassLoader().getResource("/private/uri-block-substrings.txt");
if (blockURL == null) {
blockedURLSubstrings = Collections.emptyList();
} else {
try {
blockedURLSubstrings = Resources.readLines(blockURL, StandardCharsets.UTF_8);
} catch (IOException ioe) {
throw new ServletException(ioe);
}
log.info("Blocking URIs containing: " + blockedURLSubstrings);
}
int maxAccessPerTime = Integer.parseInt(servletConfig.getInitParameter("maxAccessPerTime"));
int accessTimeSec = Integer.parseInt(servletConfig.getInitParameter("accessTimeSec"));
long accessTimeMS = TimeUnit.MILLISECONDS.convert(accessTimeSec, TimeUnit.SECONDS);
int maxEntries = Integer.parseInt(servletConfig.getInitParameter("maxEntries"));
String name = getClass().getSimpleName();
timer = new Timer(name);
destHostTracker = new DoSTracker(timer, name, maxAccessPerTime, accessTimeMS, maxEntries, null);
}
@Override
public void destroy() {
if (timer != null) {
timer.cancel();
}
}
@Override
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
String imageURIString = request.getParameter("u");
if (imageURIString == null || imageURIString.isEmpty()) {
log.info("URI was empty");
errorResponse(request, response, "badurl");
return;
}
// Remove any whitespace to sanitize; none is valid anyway
imageURIString = WHITESPACE.matcher(imageURIString).replaceAll("");
if (!blockedURLSubstrings.isEmpty()) {
for (CharSequence substring : blockedURLSubstrings) {
if (imageURIString.contains(substring)) {
log.info("Disallowed URI " + imageURIString);
errorResponse(request, response, HttpServletResponse.SC_FORBIDDEN, "badurl");
return;
}
}
}
URI imageURI;
try {
imageURI = new URI(imageURIString);
// Assume http: if not specified
if (imageURI.getScheme() == null) {
imageURI = new URI("http://" + imageURIString);
}
} catch (URISyntaxException e) {
log.info("Error " + e + " while parsing URI: " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
// Shortcut for data URI
if ("data".equals(imageURI.getScheme())) {
BufferedImage image;
try {
image = ImageReader.readDataURIImage(imageURI);
} catch (Exception e) {
log.info("Error " + e + " while reading data URI: " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
if (image == null) {
log.info("Couldn't read data URI: " + imageURIString);
errorResponse(request, response, "badimage");
return;
}
try {
processImage(image, request, response);
} finally {
image.flush();
}
return;
}
String host = imageURI.getHost();
// Also should parse for 172.x subnets
if (host == null || host.startsWith("10.") || host.startsWith("192.168.") ||
"127.0.0.1".equals(host) || "localhost".equals(host) ||
destHostTracker.isBanned(host)) {
errorResponse(request, response, HttpServletResponse.SC_FORBIDDEN, "badurl");
return;
}
URL imageURL;
try {
imageURL = imageURI.toURL();
} catch (MalformedURLException ignored) {
log.info("URI is not a URL: " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
String protocol = imageURL.getProtocol();
if (!"http".equalsIgnoreCase(protocol) && !"https".equalsIgnoreCase(protocol)) {
log.info("URL protocol was not valid: " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
HttpURLConnection connection;
try {
connection = (HttpURLConnection) imageURL.openConnection();
} catch (IllegalArgumentException ignored) {
log.info("URL could not be opened: " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
connection.setAllowUserInteraction(false);
connection.setInstanceFollowRedirects(true);
connection.setReadTimeout(5000);
connection.setConnectTimeout(5000);
connection.setRequestProperty(HttpHeaders.USER_AGENT, "zxing.org");
connection.setRequestProperty(HttpHeaders.CONNECTION, "close");
try {
connection.connect();
} catch (Exception e) {
// Encompasses lots of stuff, including
// java.net.SocketException, java.net.UnknownHostException,
// javax.net.ssl.SSLPeerUnverifiedException,
// org.apache.http.NoHttpResponseException,
// org.apache.http.client.ClientProtocolException,
log.info("Error " + e + " connecting to " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
try (InputStream is = connection.getInputStream()) {
if (connection.getResponseCode() != HttpServletResponse.SC_OK) {
log.info("Unsuccessful return code " + connection.getResponseCode() + " from " + imageURIString);
errorResponse(request, response, "badurl");
return;
}
int contentLength = connection.getHeaderFieldInt(HttpHeaders.CONTENT_LENGTH, -1);
if (contentLength <= 0) {
log.info("Bad content length: " + imageURIString);
errorResponse(request, response, HttpServletResponse.SC_LENGTH_REQUIRED, "badimage");
return;
}
if (contentLength > MAX_IMAGE_SIZE) {
log.info("Too large: " + imageURIString);
errorResponse(request, response, HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE, "badimage");
return;
}
// Assume we'll only handle image/* content types
String contentType = connection.getContentType();
if (contentType != null && !contentType.startsWith("image/")) {
log.info("Wrong content type " + contentType + ": " + imageURIString);
errorResponse(request, response, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, "badimage");
return;
}
log.info("Decoding " + imageURIString);
processStream(is, request, response);
} catch (IOException ioe) {
log.info("Error " + ioe + " processing " + imageURIString);
errorResponse(request, response, "badurl");
} finally {
connection.disconnect();
}
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Collection<Part> parts;
try {
parts = request.getParts();
} catch (Exception e) {
// Includes IOException, InvalidContentTypeException, other parsing IllegalStateException
log.info(e.toString());
errorResponse(request, response, "badimage");
return;
}
Part fileUploadPart = null;
for (Part part : parts) {
if (part.getHeader(HttpHeaders.CONTENT_DISPOSITION) != null) {
fileUploadPart = part;
break;
}
}
if (fileUploadPart == null) {
log.info("File upload was not multipart");
errorResponse(request, response, "badimage");
} else {
log.info("Decoding uploaded file " + fileUploadPart.getSubmittedFileName());
try (InputStream is = fileUploadPart.getInputStream()) {
processStream(is, request, response);
}
}
}
private static void processStream(InputStream is,
HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
BufferedImage image;
try {
image = ImageIO.read(is);
} catch (Exception e) {
// Many possible failures from JAI, so just catch anything as a failure
log.info(e.toString());
errorResponse(request, response, "badimage");
return;
}
if (image == null) {
errorResponse(request, response, "badimage");
return;
}
try {
int height = image.getHeight();
int width = image.getWidth();
if (height <= 1 || width <= 1) {
log.info("Dimensions too small: " + width + 'x' + height);
errorResponse(request, response, "badimage");
return;
} else if (height * width > MAX_PIXELS) {
log.info("Dimensions too large: " + width + 'x' + height);
errorResponse(request, response, HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE, "badimage");
return;
}
processImage(image, request, response);
} finally {
image.flush();
}
}
private static void processImage(BufferedImage image,
HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
LuminanceSource source = new BufferedImageLuminanceSource(image);
BinaryBitmap bitmap = new BinaryBitmap(new GlobalHistogramBinarizer(source));
Collection<Result> results = new ArrayList<>(1);
try {
Reader reader = new MultiFormatReader();
ReaderException savedException = null;
try {
// Look for multiple barcodes
MultipleBarcodeReader multiReader = new GenericMultipleBarcodeReader(reader);
Result[] theResults = multiReader.decodeMultiple(bitmap, HINTS);
if (theResults != null) {
results.addAll(Arrays.asList(theResults));
}
} catch (ReaderException re) {
savedException = re;
}
if (results.isEmpty() && !Thread.currentThread().isInterrupted()) {
try {
// Look for pure barcode
Result theResult = reader.decode(bitmap, HINTS_PURE);
if (theResult != null) {
results.add(theResult);
}
} catch (ReaderException re) {
savedException = re;
}
}
if (results.isEmpty() && !Thread.currentThread().isInterrupted()) {
try {
// Look for normal barcode in photo
Result theResult = reader.decode(bitmap, HINTS);
if (theResult != null) {
results.add(theResult);
}
} catch (ReaderException re) {
savedException = re;
}
}
if (results.isEmpty() && !Thread.currentThread().isInterrupted()) {
try {
// Try again with other binarizer
BinaryBitmap hybridBitmap = new BinaryBitmap(new HybridBinarizer(source));
Result theResult = reader.decode(hybridBitmap, HINTS);
if (theResult != null) {
results.add(theResult);
}
} catch (ReaderException re) {
savedException = re;
}
}
if (results.isEmpty()) {
try {
throw savedException == null ? NotFoundException.getNotFoundInstance() : savedException;
} catch (FormatException | ChecksumException e) {
errorResponse(request, response, "format");
} catch (ReaderException e) { // Including NotFoundException
errorResponse(request, response, "notfound");
}
return;
}
} catch (RuntimeException re) {
// Call out unexpected errors in the log clearly
log.log(Level.WARNING, "Unexpected exception from library", re);
throw new ServletException(re);
}
String fullParameter = request.getParameter("full");
boolean minimalOutput = fullParameter != null && !Boolean.parseBoolean(fullParameter);
if (minimalOutput) {
response.setContentType(MediaType.PLAIN_TEXT_UTF_8.toString());
response.setCharacterEncoding(StandardCharsets.UTF_8.name());
try (Writer out = new OutputStreamWriter(response.getOutputStream(), StandardCharsets.UTF_8)) {
for (Result result : results) {
out.write(result.getText());
out.write('\n');
}
}
} else {
request.setAttribute("results", results);
request.getRequestDispatcher("decoderesult.jspx").forward(request, response);
}
}
private static void errorResponse(HttpServletRequest request,
HttpServletResponse response,
String key) throws ServletException, IOException {
errorResponse(request, response, HttpServletResponse.SC_BAD_REQUEST, key);
}
private static void errorResponse(HttpServletRequest request,
HttpServletResponse response,
int httpStatus,
String key) throws ServletException, IOException {
Locale locale = request.getLocale();
if (locale == null) {
locale = Locale.ENGLISH;
}
ResourceBundle bundle = ResourceBundle.getBundle("Strings", locale);
String title = bundle.getString("response.error." + key + ".title");
String text = bundle.getString("response.error." + key + ".text");
request.setAttribute("title", title);
request.setAttribute("text", text);
RequestDispatcher dispatcher = request.getRequestDispatcher("response.jspx");
if (dispatcher == null) {
log.warning("Can't obtain RequestDispatcher");
} else {
response.setStatus(httpStatus);
dispatcher.forward(request, response);
}
}
}