Hi Guys, Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main, using profile page of DemoCustomer user try to upload attached file (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
Step 1: go-to the e-commerce website login as DemoCustomer Step 2: go-to profile page find party content uploaded / File Manager step 3: add/browse a file step 4: Select Purpose - Internal Content/User Defined Content and click to upload On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux < [email protected]> wrote: > For instance, do you use an URL? > > Le 15/04/2021 à 11:20, Jacques Le Roux a écrit : > > Hi Shrilesh, > > > > It works for me with files named GCS_009.jpg and GCS_004.jpeg > > > > You mentioned content.upload.path.prefix. Did you set a value there and > if yes which one? > > > > Jacques > > > > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : > >> Hi Jacques, > >> > >> Step 1: go-to the e-commerce website login as DemoCustomer > >> Step 2: go-to profile page find party content uploaded / File Manager > >> step 3: add/browse a file > >> step 4: Select Purpose - Internal Content/User Defined Content and > click to upload > >> > >> you will get the same error > >> the file is getting uploaded but at the end of > >> *DataServices.groovy > >> ---> def attachUploadToDataResource() > >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) > >> ---> result = run service: "createAnonFile", with: fileCtx > >> ---> createFileNoPerm > >> ---> createFileMethod(dctx, context); > >> ---> if > (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), > "Text", delegator)) > >> ---> return ServiceUtil.returnError(errorMessage);* > >> Due to the issue I talked above > >> > >> I also uploaded that file which I'm using to upload on party content > uploaded > >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) > >> And ScreenShots of the demo website and I also tried locally > >> > >> Regards, > >> Shrilesh K. > >> > >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux < > [email protected] <mailto:[email protected]>> wrote: > >> > >> Hi Shrilesh, > >> > >> In which cases exactly the file names are rejected (length, name, > etc.) ? We can also consider the content.upload.path.prefix indeed... > >> > >> Jacques > >> > >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > >> > Hi Guys, > >> > > >> > While performing testing of > >> > https://issues.apache.org/jira/browse/OFBIZ-10746 < > https://issues.apache.org/jira/browse/OFBIZ-10746> issue reported a while > >> > back, I have noticed that if I try uploading a file it now fails > for > >> > different reasons as the file name is being considered invalid > >> > > >> > At first glance, it looks like due to fixes introduced recently > due to > >> > below issues > >> > 1. Secure the uploads (OFBIZ-12080) > >> > 2. addImageForProduct fails (OFBIZ-12211) > >> > > >> > Of course, it could be bypassed for now by setting property > >> > *allowAllUploads=true > >> > *security.properties. > >> > > >> > However, was wondering if the below code block from class > >> > *SecuredUpload.java* should have allowed URLs that also contain > >> > *content.upload.path.prefix* value? same as what is being done > for product > >> > image URLs. > >> > > >> > > >> > > >> > if (fileToCheck.length() > 4096) { > >> > Debug.logError("Uploaded file name too long", > MODULE); > >> > return false; > >> > *} else if (p.toString().contains(imageServerUrl)) {* > >> > if (file.matches("[a-zA-Z0-9-_ > ()]{1,4086}.[a-zA-Z0-9-_ > >> > ]{1,10}")) { // "(" and ")" for duplicates files > >> > wrongFile = false; > >> > } else if (!file.matches("[a-zA-Z0-9-_ > >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > >> > wrongFile = false; > >> > } > >> > } > >> > > >> > Let me know what the thoughts are and if need be happy to raise > an issue so > >> > that it could be tracked > >> > > >> > > >> > Regards, > >> > Shrilesh K. > >> >
