BTW, there is already a Jira for that:
https://issues.apache.org/jira/browse/OFBIZ-12639
Any help is welcome :)
Le 08/09/2024 à 17:03, Jacques Le Roux a écrit :
Hi Groza,
After facing several webshell uploads I made SecuredUpload.java as secure as
possible OOTB.
I see 2 options here:
* Increase maxLineLength in security.properties (could be unsecure, but not
that bad)
* Improve SecuredUpload by having a special treatment for Images at line 209
HTH
Jacques
Le 07/09/2024 à 12:52, Groza Danut a écrit :
Hi,
Have you tried to add an image to a product? I get an error message saying
type unsupported for security reasons, even if the file type is .jpeg.
When debugging I found that ProductServices.addAdditionalViewForProduct is
called.
At line 1083: org.apache.ofbiz.security.SecuredUpload.isValidFile is called
Inside SecuredUpload line 254: checkMaxLinesLength throws an error, since
this is a jpeg file.
As far as I see it, isValidFile should not checkMaxLinesLength if
the fileType is IMAGE.
