(ofbiz-framework) 02/02: Fixed: Enhance temporary file creation for image uploads by using original file extensions and ensuring safe copying to the destination

Tue, 17 Mar 2026 01:18:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

jacopoc pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 372e4fe0252e477915260b38dea558552b57833b
Author: Jacopo Cappellato <[email protected]>
AuthorDate: Tue Mar 17 08:53:06 2026 +0100

    Fixed: Enhance temporary file creation for image uploads by using original 
file extensions and ensuring safe copying to the destination
    
    (cherry picked from commit 0dcd1faf182ab0aa43a8939d4a4c84bf5c569af3)
---
 .../apache/ofbiz/product/imagemanagement/FrameImage.java   | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git 
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
 
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index d1873d1760..b5b0cd3363 100644
--- 
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++ 
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -29,10 +29,10 @@ import java.awt.image.BufferedImage;
 import java.awt.image.RenderedImage;
 import java.io.File;
 import java.io.IOException;
-import java.io.RandomAccessFile;
 import java.nio.ByteBuffer;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
 import java.nio.file.StandardOpenOption;
 import java.util.HashMap;
 import java.util.Locale;
@@ -318,18 +318,20 @@ public class FrameImage {
                 request.setAttribute("_ERROR_MESSAGE_", "There is an existing 
frame, please select from the existing frame.");
                 return "error";
             }
-            Path tmpFile = Files.createTempFile(null, null);
+            String origName = imageName;
+            int dotIdx = origName.lastIndexOf('.');
+            String fileExt = dotIdx >= 0 ? origName.substring(dotIdx) : null;
+            Path tmpFile = Files.createTempFile(null, fileExt);
             Files.write(tmpFile, imageData.array(), StandardOpenOption.APPEND);
             // Check if a webshell is not uploaded
             if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(tmpFile.toString(), 
"Image", delegator)) {
                 String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
+                new File(tmpFile.toString()).deleteOnExit();
                 request.setAttribute("_ERROR_MESSAGE_", errorMessage);
                 return "error";
             }
-            Files.delete(tmpFile);
-            RandomAccessFile out = new RandomAccessFile(file, "rw");
-            out.write(imageData.array());
-            out.close();
+            Files.copy(tmpFile, file.toPath(), 
StandardCopyOption.REPLACE_EXISTING);
+            new File(tmpFile.toString()).deleteOnExit();
 
             //create dataResource
             Map<String, Object> dataResourceCtx = new HashMap<>();

Reply via email to