This is an automated email from the ASF dual-hosted git repository.
jacopoc pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 76be5d90fe Fixed: Improve image upload handling by using file
extensions for temporary files and ensuring safe copying of sanitized images
76be5d90fe is described below
commit 76be5d90fee027431e1a33819f7e1c87481a044f
Author: Jacopo Cappellato <[email protected]>
AuthorDate: Mon Mar 16 12:25:44 2026 +0100
Fixed: Improve image upload handling by using file extensions for temporary
files and ensuring safe copying of sanitized images
(cherry picked from commit 3475b96c670746734582c821ca76a3be0c57f56b)
---
.../imagemanagement/ImageManagementServices.java | 41 +++++++++++-----------
1 file changed, 21 insertions(+), 20 deletions(-)
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
index 60bbe3d7f5..5d21a70698 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
@@ -25,10 +25,10 @@ import java.awt.image.RenderedImage;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
-import java.io.RandomAccessFile;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
import java.nio.file.StandardOpenOption;
import java.util.HashMap;
import java.util.List;
@@ -157,21 +157,21 @@ public class ImageManagementServices {
imageName = "";
}
+ String fileExt = uploadFileName.contains(".") ?
uploadFileName.substring(uploadFileName.lastIndexOf('.')) : "";
if (UtilValidate.isEmpty(imageResize)) {
try {
- Path tempFile = Files.createTempFile(null, null);
+ Path tempFile = Files.createTempFile(null, fileExt);
Files.write(tempFile, imageData.array(),
StandardOpenOption.APPEND);
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(tempFile.toString(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
+ new File(tempFile.toString()).deleteOnExit();
return ServiceUtil.returnError(errorMessage);
}
- File tempFileToDelete = new File(tempFile.toString());
- tempFileToDelete.deleteOnExit();
- // Create image file original to folder product id.
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
+ // Copy from the sanitized temp file, not from the
original byte array, so that
+ // metadata and payloads stripped by imageMadeSafe() are
not reintroduced.
+ Files.copy(tempFile, file.toPath(),
StandardCopyOption.REPLACE_EXISTING);
+ new File(tempFile.toString()).deleteOnExit();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RES_ERROR,
@@ -187,18 +187,18 @@ public class ImageManagementServices {
fileOriginal = checkExistsImage(fileOriginal);
try {
- Path tempFile = Files.createTempFile(null, null);
+ Path tempFile = Files.createTempFile(null, fileExt);
Files.write(tempFile, imageData.array(),
StandardOpenOption.APPEND);
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(tempFile.toString(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
+ new File(tempFile.toString()).deleteOnExit();
return ServiceUtil.returnError(errorMessage);
}
- File tempFileToDelete = new File(tempFile.toString());
- tempFileToDelete.deleteOnExit();
- RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
- outFile.write(imageData.array());
- outFile.close();
+ // Copy from the sanitized temp file, not from the
original byte array, so that
+ // metadata and payloads stripped by imageMadeSafe() are
not reintroduced.
+ Files.copy(tempFile, fileOriginal.toPath(),
StandardCopyOption.REPLACE_EXISTING);
+ new File(tempFile.toString()).deleteOnExit();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RES_ERROR,
@@ -578,19 +578,20 @@ public class ImageManagementServices {
// Create image file thumbnail to folder product id.
String fileToCheck = imageServerPath + "/" + productId + "/" +
filenameToUseThumb;
File fileOriginalThumb = new File(fileToCheck);
+ String thumbExt = extensionThumb != null ? "." +
extensionThumb.getString("fileExtensionId") : "";
try {
- Path tempFile = Files.createTempFile(null, null);
+ Path tempFile = Files.createTempFile(null, thumbExt);
Files.write(tempFile, imageData.array(),
StandardOpenOption.APPEND);
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(tempFile.toString(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
+ new File(tempFile.toString()).deleteOnExit();
return ServiceUtil.returnError(errorMessage);
}
- File tempFileToDelete = new File(tempFile.toString());
- tempFileToDelete.deleteOnExit();
- RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
- outFileThumb.write(imageData.array());
- outFileThumb.close();
+ // Copy from the sanitized temp file, not from the original byte
array, so that
+ // metadata and payloads stripped by imageMadeSafe() are not
reintroduced.
+ Files.copy(tempFile, fileOriginalThumb.toPath(),
StandardCopyOption.REPLACE_EXISTING);
+ new File(tempFile.toString()).deleteOnExit();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return ServiceUtil.returnError(UtilProperties.getMessage(RES_ERROR,
