[
https://issues.apache.org/jira/browse/OFBIZ-12639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17755953#comment-17755953
]
Ingo Wolfmayr commented on OFBIZ-12639:
---------------------------------------
[~jleroux] There seems to be another issue with the SecureUpload.
The "isValidImageFile" method includes the "isValidTextFile" method that
inludes "isValidText". This method check for '+' and \"+\"
Sometimes the source of an image includes these chars - there is no vicious
purpose behind it + I do not see a solution how this can be prevented . It also
happens that uploading an image creates image scales including these chars. The
result is an uploaded "original" file but no scales.
Would it be a bad idea to disable the "ALLOWSTRINGCONCATENATIONINUPLOADEDFILES"
for certain types of files like images, pdf? Maybe in combination with an
special upload permission? Does it even make sense with images, pdf?
I want to keep the system on my side as secure as possible, but uploading an
image should not presume a degree in computer science.
> Upload image size issue
> -----------------------
>
> Key: OFBIZ-12639
> URL: https://issues.apache.org/jira/browse/OFBIZ-12639
> Project: OFBiz
> Issue Type: Improvement
> Components: product/catalog
> Affects Versions: Upcoming Branch
> Reporter: Ingo Wolfmayr
> Priority: Major
> Attachments: test.jpeg
>
>
> I tied to uploaded an Image > 3MB and it fails as the line length > 10000
> Does this security check make sense for images? Attached you will find the
> image.
> Additional to that, the security message is missleading: For security reason
> only valid files of supported image formats...
> Responsible code can be found in: SecuredUploads.java (line 205) &
> DataServices.java (line 216)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
