This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 5fa312c  Fixed: Secure the uploads (OFBIZ-12080)
5fa312c is described below

commit 5fa312cfb9083cd47e8065e571304e46c80058a5
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Dec 6 11:16:44 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Improves the labels names and format comment in LayoutEvents.java
    
    I backport to ease later works...
---
 .../src/main/java/org/apache/ofbiz/content/data/DataServices.java | 8 ++++----
 .../main/java/org/apache/ofbiz/content/layout/LayoutEvents.java   | 3 +--
 .../java/org/apache/ofbiz/product/imagemanagement/FrameImage.java | 2 +-
 framework/common/config/SecurityUiLabels.xml                      | 4 ++--
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git 
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
 
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 5b1ee7b..f63c1b3 100644
--- 
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++ 
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -267,7 +267,7 @@ public class DataServices {
                 out.close();
                 // Check if a webshell is not uploaded
                 if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), 
"All", delegator)) {
-                    String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileIncludingSvgFormats", locale);
+                    String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
 
@@ -471,7 +471,7 @@ public class DataServices {
                     out.close();
                     // Check if a webshell is not uploaded
                     if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), 
"All", delegator)) {
-                        String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileIncludingSvgFormats", locale);
+                        String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                         return ServiceUtil.returnError(errorMessage);
                     }
                 } catch (FileNotFoundException | ImageReadException e) {
@@ -639,7 +639,7 @@ public class DataServices {
                 out.write(imageData);
                 // Check if a webshell is not uploaded
                 if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), 
"All", delegator)) {
-                    String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileIncludingSvgFormats", locale);
+                    String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
                 if (Debug.infoOn()) {
@@ -698,7 +698,7 @@ public class DataServices {
                 out.write(imageData);
                 // Check if a webshell is not uploaded
                 if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), 
"All", delegator)) {
-                    String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileIncludingSvgFormats", locale);
+                    String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
 
diff --git 
a/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
 
b/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
index 9652ce0..c8a63d2 100644
--- 
a/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
+++ 
b/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
@@ -146,8 +146,7 @@ public class LayoutEvents {
             }
 
             GenericValue dataResource = 
EntityQuery.use(delegator).from("DataResource").where("dataResourceId", 
dataResourceId).queryOne();
-            // Use objectInfo field to store the name of the file, since there 
is no
-            // place in ImageDataResource for it.
+            // Use objectInfo field to store the name of the file, since there 
is no place in ImageDataResource for it.
             if (dataResource != null) {
                 dataResource.set("objectInfo", imageFileName);
                 dataResource.set("mimeTypeId", mimeTypeId);
diff --git 
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index d6b9fec..3a9beed 100644
--- 
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++ 
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -319,7 +319,7 @@ public class FrameImage {
             out.write(imageData.array());
             out.close();
             if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), 
"Image", delegator)) {
-                String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileIncludingSvgFormats", locale);
+                String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                 request.setAttribute("_ERROR_MESSAGE_", errorMessage);
                 return "error";
             }
diff --git a/framework/common/config/SecurityUiLabels.xml 
b/framework/common/config/SecurityUiLabels.xml
index 5410bde..3c88bc8 100644
--- a/framework/common/config/SecurityUiLabels.xml
+++ b/framework/common/config/SecurityUiLabels.xml
@@ -762,7 +762,7 @@
         <value xml:lang="zh">SecurityViewPermissionError 你没有权限浏览本页面。 
(需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
         <value xml:lang="zh-TW">SecurityViewPermissionError 你沒有權限檢視本頁面. 
(需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
     </property>
-    <property key="SupportedFileIncludingSvgFormats">
+    <property key="SupportedFileFormatsIncludingSvg">
         <value xml:lang="en">For security reason only valid files of supported 
image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe 
contents are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers 
valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers 
SVG, PDF, et les fichiers ZIP ou texte aux contenus sûrs sont acceptés.</value>
     </property>
@@ -770,7 +770,7 @@
         <value xml:lang="en">For security reason only valid files of supported 
image formats (GIF, JPEG, PNG, TIFF), PDF or text files with safe contents are 
accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers 
valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers 
PDF ou les fichiers texte aux contenus sûrs sont acceptés.</value>
     </property>
-    <property key="SupportedImageFormatseIncludingSvg">
+    <property key="SupportedImageFormatsIncludingSvg">
         <value xml:lang="en">For security reason only valid files of supported 
image formats (GIF, JPEG, PNG, TIFF), or SVG format are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers 
valides des formats d'image pris en charge (GIF, JPEG, PNG, TIFF) ou au format 
SVG sont acceptés.</value>
     </property>

Reply via email to