Hi Jacques, Step 1: go-to the e-commerce website login as DemoCustomer Step 2: go-to profile page find party content uploaded / File Manager step 3: add/browse a file step 4: Select Purpose - Internal Content/User Defined Content and click to upload
you will get the same error the file is getting uploaded but at the end of *DataServices.groovy---> def attachUploadToDataResource() ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)---> result = run service: "createAnonFile", with: fileCtx---> createFileNoPerm---> createFileMethod(dctx, context);---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))---> return ServiceUtil.returnError(errorMessage);* Due to the issue I talked above I also uploaded that file which I'm using to upload on party content uploaded name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) And ScreenShots of the demo website and I also tried locally Regards, Shrilesh K. On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux < [email protected]> wrote: > Hi Shrilesh, > > In which cases exactly the file names are rejected (length, name, etc.) ? > We can also consider the content.upload.path.prefix indeed... > > Jacques > > Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > > Hi Guys, > > > > While performing testing of > > https://issues.apache.org/jira/browse/OFBIZ-10746 issue reported a while > > back, I have noticed that if I try uploading a file it now fails for > > different reasons as the file name is being considered invalid > > > > At first glance, it looks like due to fixes introduced recently due to > > below issues > > 1. Secure the uploads (OFBIZ-12080) > > 2. addImageForProduct fails (OFBIZ-12211) > > > > Of course, it could be bypassed for now by setting property > > *allowAllUploads=true > > *security.properties. > > > > However, was wondering if the below code block from class > > *SecuredUpload.java* should have allowed URLs that also contain > > *content.upload.path.prefix* value? same as what is being done for > product > > image URLs. > > > > > > > > if (fileToCheck.length() > 4096) { > > Debug.logError("Uploaded file name too long", MODULE); > > return false; > > *} else if (p.toString().contains(imageServerUrl)) {* > > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ > > ]{1,10}")) { // "(" and ")" for duplicates files > > wrongFile = false; > > } else if (!file.matches("[a-zA-Z0-9-_ > > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > > wrongFile = false; > > } > > } > > > > Let me know what the thoughts are and if need be happy to raise an issue > so > > that it could be tracked > > > > > > Regards, > > Shrilesh K. > >
