This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 5fa312c Fixed: Secure the uploads (OFBIZ-12080)
5fa312c is described below
commit 5fa312cfb9083cd47e8065e571304e46c80058a5
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sun Dec 6 11:16:44 2020 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Improves the labels names and format comment in LayoutEvents.java
I backport to ease later works...
---
.../src/main/java/org/apache/ofbiz/content/data/DataServices.java | 8 ++++----
.../main/java/org/apache/ofbiz/content/layout/LayoutEvents.java | 3 +--
.../java/org/apache/ofbiz/product/imagemanagement/FrameImage.java | 2 +-
framework/common/config/SecurityUiLabels.xml | 4 ++--
4 files changed, 8 insertions(+), 9 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 5b1ee7b..f63c1b3 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -267,7 +267,7 @@ public class DataServices {
out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
- String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileIncludingSvgFormats", locale);
+ String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
@@ -471,7 +471,7 @@ public class DataServices {
out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
- String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileIncludingSvgFormats", locale);
+ String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
} catch (FileNotFoundException | ImageReadException e) {
@@ -639,7 +639,7 @@ public class DataServices {
out.write(imageData);
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
- String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileIncludingSvgFormats", locale);
+ String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
if (Debug.infoOn()) {
@@ -698,7 +698,7 @@ public class DataServices {
out.write(imageData);
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
- String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileIncludingSvgFormats", locale);
+ String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
b/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
index 9652ce0..c8a63d2 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
@@ -146,8 +146,7 @@ public class LayoutEvents {
}
GenericValue dataResource =
EntityQuery.use(delegator).from("DataResource").where("dataResourceId",
dataResourceId).queryOne();
- // Use objectInfo field to store the name of the file, since there
is no
- // place in ImageDataResource for it.
+ // Use objectInfo field to store the name of the file, since there
is no place in ImageDataResource for it.
if (dataResource != null) {
dataResource.set("objectInfo", imageFileName);
dataResource.set("mimeTypeId", mimeTypeId);
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index d6b9fec..3a9beed 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -319,7 +319,7 @@ public class FrameImage {
out.write(imageData.array());
out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Image", delegator)) {
- String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileIncludingSvgFormats", locale);
+ String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
request.setAttribute("_ERROR_MESSAGE_", errorMessage);
return "error";
}
diff --git a/framework/common/config/SecurityUiLabels.xml
b/framework/common/config/SecurityUiLabels.xml
index 5410bde..3c88bc8 100644
--- a/framework/common/config/SecurityUiLabels.xml
+++ b/framework/common/config/SecurityUiLabels.xml
@@ -762,7 +762,7 @@
<value xml:lang="zh">SecurityViewPermissionError 你没有权限浏览本页面。
(需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
<value xml:lang="zh-TW">SecurityViewPermissionError 你沒有權限檢視本頁面.
(需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
</property>
- <property key="SupportedFileIncludingSvgFormats">
+ <property key="SupportedFileFormatsIncludingSvg">
<value xml:lang="en">For security reason only valid files of supported
image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe
contents are accepted.</value>
<value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers
valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers
SVG, PDF, et les fichiers ZIP ou texte aux contenus sûrs sont acceptés.</value>
</property>
@@ -770,7 +770,7 @@
<value xml:lang="en">For security reason only valid files of supported
image formats (GIF, JPEG, PNG, TIFF), PDF or text files with safe contents are
accepted.</value>
<value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers
valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers
PDF ou les fichiers texte aux contenus sûrs sont acceptés.</value>
</property>
- <property key="SupportedImageFormatseIncludingSvg">
+ <property key="SupportedImageFormatsIncludingSvg">
<value xml:lang="en">For security reason only valid files of supported
image formats (GIF, JPEG, PNG, TIFF), or SVG format are accepted.</value>
<value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers
valides des formats d'image pris en charge (GIF, JPEG, PNG, TIFF) ou au format
SVG sont acceptés.</value>
</property>
