Hi Jacques, Thank You for the patch, it's working now
Regards, Shrilesh K. On Thu, Apr 15, 2021 at 10:34 PM Jacques Le Roux < [email protected]> wrote: > Hi Shrilesh, > > I found the issue. I have attached a patch at > https://issues.apache.org/jira/browse/OFBIZ-12080 > > Please test on your side after applying the patch and confirm it's OK with > you > > TIA > > Jacques > > Le 15/04/2021 à 17:48, Jacques Le Roux a écrit : > > Hi, > > > > This was not my question. I wanted to know if you set a value to > content.upload.path.prefix, if yes which one, maybe an URL (should not be > used in > > content.upload.path.prefix as the comment in content properties says). > > > > This mailing list does not accept attachments, but anyway if your file > name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or > > AAAAJPJ1.png) then it can't work as the message says: > > > > << For security reason only valid files of supported image formats > (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names > (only > > Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, > name and extension not empty) and contents are accepted.>> > > > > This said, I have tried locally and it works for AAAAJPJ1.JPEG but > weirdly not on trunk demo indeed. I guess it's because I use Windows and > the > > trunk trunk demo is on Ubuntu. > > > > I'll check that and will get back to you > > > > Thanks for reporting > > > > Jacques > > > > Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit : > >> Hi Guys, > >> Just say.. please use this URL > https://demo-trunk.ofbiz.apache.org/ecommerce/control/main > >> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using > profile page of DemoCustomer user try to upload attached file > >> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any > >> > >> Step 1: go-to the e-commerce website login as DemoCustomer > >> Step 2: go-to profile page find party content uploaded / File Manager > >> step 3: add/browse a file > >> step 4: Select Purpose - Internal Content/User Defined Content and > click to upload > >> > >> > >> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux < > [email protected] <mailto:[email protected]>> wrote: > >> > >> For instance, do you use an URL? > >> > >> Le 15/04/2021 à 11:20, Jacques Le Roux a écrit : > >> > Hi Shrilesh, > >> > > >> > It works for me with files named GCS_009.jpg and GCS_004.jpeg > >> > > >> > You mentioned content.upload.path.prefix. Did you set a value > there and if yes which one? > >> > > >> > Jacques > >> > > >> > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : > >> >> Hi Jacques, > >> >> > >> >> Step 1: go-to the e-commerce website login as DemoCustomer > >> >> Step 2: go-to profile page find party content uploaded / File > Manager > >> >> step 3: add/browse a file > >> >> step 4: Select Purpose - Internal Content/User Defined Content > and click to upload > >> >> > >> >> you will get the same error > >> >> the file is getting uploaded but at the end of > >> >> *DataServices.groovy > >> >> ---> def attachUploadToDataResource() > >> >> ---> return > saveLocalFileDataResource(parameters.dataResourceTypeId) > >> >> ---> result = run service: "createAnonFile", with: fileCtx > >> >> ---> createFileNoPerm > >> >> ---> createFileMethod(dctx, context); > >> >> ---> if > (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), > "Text", delegator)) > >> >> ---> return ServiceUtil.returnError(errorMessage);* > >> >> Due to the issue I talked above > >> >> > >> >> I also uploaded that file which I'm using to upload on party > content uploaded > >> >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) > >> >> And ScreenShots of the demo website and I also tried locally > >> >> > >> >> Regards, > >> >> Shrilesh K. > >> >> > >> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux < > [email protected] <mailto:[email protected]> > >> <mailto:[email protected] <mailto: > [email protected]>>> wrote: > >> >> > >> >> Hi Shrilesh, > >> >> > >> >> In which cases exactly the file names are rejected (length, > name, etc.) ? We can also consider the content.upload.path.prefix indeed... > >> >> > >> >> Jacques > >> >> > >> >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > >> >> > Hi Guys, > >> >> > > >> >> > While performing testing of > >> >> > https://issues.apache.org/jira/browse/OFBIZ-10746 < > https://issues.apache.org/jira/browse/OFBIZ-10746> > >> <https://issues.apache.org/jira/browse/OFBIZ-10746 < > https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while > >> >> > back, I have noticed that if I try uploading a file it now > fails for > >> >> > different reasons as the file name is being considered > invalid > >> >> > > >> >> > At first glance, it looks like due to fixes introduced > recently due to > >> >> > below issues > >> >> > 1. Secure the uploads (OFBIZ-12080) > >> >> > 2. addImageForProduct fails (OFBIZ-12211) > >> >> > > >> >> > Of course, it could be bypassed for now by setting property > >> >> > *allowAllUploads=true > >> >> > *security.properties. > >> >> > > >> >> > However, was wondering if the below code block from class > >> >> > *SecuredUpload.java* should have allowed URLs that also > contain > >> >> > *content.upload.path.prefix* value? same as what is being > done for product > >> >> > image URLs. > >> >> > > >> >> > > >> >> > > >> >> > if (fileToCheck.length() > 4096) { > >> >> > Debug.logError("Uploaded file name too > long", MODULE); > >> >> > return false; > >> >> > *} else if > (p.toString().contains(imageServerUrl)) {* > >> >> > if (file.matches("[a-zA-Z0-9-_ > ()]{1,4086}.[a-zA-Z0-9-_ > >> >> > ]{1,10}")) { // "(" and ")" for duplicates files > >> >> > wrongFile = false; > >> >> > } else if (!file.matches("[a-zA-Z0-9-_ > >> >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > >> >> > wrongFile = false; > >> >> > } > >> >> > } > >> >> > > >> >> > Let me know what the thoughts are and if need be happy to > raise an issue so > >> >> > that it could be tracked > >> >> > > >> >> > > >> >> > Regards, > >> >> > Shrilesh K. > >> >> > >> >
