[ https://issues.apache.org/jira/browse/OFBIZ-12639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17755953#comment-17755953 ]
Jacques Le Roux edited comment on OFBIZ-12639 at 8/18/23 4:19 PM: ------------------------------------------------------------------ [~jleroux] There seems to be another issue with the SecureUpload. The "isValidImageFile" method includes the "isValidTextFile" method that inludes "isValidText". This method check for {code}'+' and \"+\"{code} Sometimes the source of an image includes these chars - there is no vicious purpose behind it + I do not see a solution how this can be prevented . It also happens that uploading an image creates image scales including these chars. The result is an uploaded "original" file but no scales. Would it be a bad idea to disable the "ALLOWSTRINGCONCATENATIONINUPLOADEDFILES" for certain types of files like images, pdf? Maybe in combination with an special upload permission? Does it even make sense with images, pdf? I want to keep the system on my side as secure as possible, but uploading an image should not presume a degree in computer science. was (Author: iwolf): [~jleroux] There seems to be another issue with the SecureUpload. The "isValidImageFile" method includes the "isValidTextFile" method that inludes "isValidText". This method check for '+' and \"+\" Sometimes the source of an image includes these chars - there is no vicious purpose behind it + I do not see a solution how this can be prevented . It also happens that uploading an image creates image scales including these chars. The result is an uploaded "original" file but no scales. Would it be a bad idea to disable the "ALLOWSTRINGCONCATENATIONINUPLOADEDFILES" for certain types of files like images, pdf? Maybe in combination with an special upload permission? Does it even make sense with images, pdf? I want to keep the system on my side as secure as possible, but uploading an image should not presume a degree in computer science. > Upload image size issue > ----------------------- > > Key: OFBIZ-12639 > URL: https://issues.apache.org/jira/browse/OFBIZ-12639 > Project: OFBiz > Issue Type: Improvement > Components: product/catalog > Affects Versions: Upcoming Branch > Reporter: Ingo Wolfmayr > Priority: Major > Attachments: 40000054.png, test.jpeg > > > I tied to uploaded an Image > 3MB and it fails as the line length > 10000 > Does this security check make sense for images? Attached you will find the > image. > Additional to that, the security message is missleading: For security reason > only valid files of supported image formats... > Responsible code can be found in: SecuredUploads.java (line 205) & > DataServices.java (line 216) -- This message was sent by Atlassian Jira (v8.20.10#820010)