This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push: new e3ec08b Fixed: Secure the uploads (OFBIZ-12080) e3ec08b is described below commit e3ec08bddcbfbf0ffe68b0579c5b29b022baa196 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Mar 26 19:13:07 2021 +0100 Fixed: Secure the uploads (OFBIZ-12080) Fixes an issue reported by 赖涵 <1044309...@qq.com>: "Any file upload and delete in latest Apache OFBiz" It was a simple syntax error on my side --- .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index caab84c..aa2ce62 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -217,10 +217,10 @@ public class SecuredUpload { Path filePath = Paths.get(fileName); byte[] bytesFromFile = Files.readAllBytes(filePath); ImageFormat imageFormat = Imaging.guessFormat(bytesFromFile); - return imageFormat.equals(ImageFormats.PNG) + return (imageFormat.equals(ImageFormats.PNG) || imageFormat.equals(ImageFormats.GIF) || imageFormat.equals(ImageFormats.TIFF) - || imageFormat.equals(ImageFormats.JPEG) + || imageFormat.equals(ImageFormats.JPEG)) && imageMadeSafe(fileName); }