[jira] [Commented] (OFBIZ-13192) Issues when uploading SVG files

Sun, 08 Dec 2024 22:21:28 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-13192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904024#comment-17904024
 ] 

ASF subversion and git services commented on OFBIZ-13192:
---------------------------------------------------------

Commit faf6032b015a7be1380281a784253d1790ac5ff6 in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=faf6032b01 ]

Fixed: Issues when uploading SVG files (OFBIZ-13192)

* Bypasses CSV file type checking when the file contains "</svg>"
* Change "maxLineLength" property in security.properties from null to 10000 and
  allows 0 bypass the "maxLineLength" check

Note: SVG files are text files and may contain deniedWebShellTokens. If you need
to upload SVG files the easiest way is to remove the used tokens from
deniedWebShellTokens.


> Issues when uploading SVG files
> -------------------------------
>
>                 Key: OFBIZ-13192
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13192
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: content, party
>    Affects Versions: 18.12.17, 24.09.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 24.09.01, 18.12.18
>
>
> SVG files can only be uploaded when the "All" type is used. That's only done 
> inside the Content component. This component can also be used by other 
> component, like Party for instance.
> There are some issues when uploading SVG files.
> * When the All type is used and a SVG file is uploaded, the checking type 
> order places the CSV file before the SVG file type.  In some cases this error 
> arises:
> bq. java.io.IOException: (line 8) invalid char between encapsulated token and 
> delimiter
> * Most often they are minified. Then, apart very small ones, they contains 
> long lines, at least longer than 10000 default.
> * They almost all contain the word "class". Once you remove it from 
> deniedWebShellTokens in security.properties the files pass and are uploaded 
> w/o modification. They can also contain token like "javascript", etc.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to