[
https://issues.apache.org/jira/browse/OFBIZ-12639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756249#comment-17756249
]
Jacques Le Roux commented on OFBIZ-12639:
-----------------------------------------
Hi Ingo,
Attackers can put webshells, or other attack types, inside
[PDF|https://redmethod.hashnode.dev/testing-file-upload-mechanism] and
[images|https://www.reversinglabs.com/blog/malware-in-images] that are actually
text files (ie not bins). I already faced that. That's why OOTB we have to
check those file types using isValidTextFile, hence isValidText. That's when
all file types are allowed which is most of cases in OFBiz (look for
{{SecuredUpload.isValidFile(*, "All",}})
You can set allowStringConcatenationInUploadedFiles to true in
security.properties if you don't fear external uploads (ie users w/o rights,
intrusions). I can't think at a better mechanism, SecuredUpload is already
pretty complex. Another option is to use isValidPdfFile in your custom code.
It's harder for images.
> Upload image size issue
> -----------------------
>
> Key: OFBIZ-12639
> URL: https://issues.apache.org/jira/browse/OFBIZ-12639
> Project: OFBiz
> Issue Type: Improvement
> Components: product/catalog
> Affects Versions: Upcoming Branch
> Reporter: Ingo Wolfmayr
> Priority: Major
> Attachments: 40000054.png, test.jpeg
>
>
> I tied to uploaded an Image > 3MB and it fails as the line length > 10000
> Does this security check make sense for images? Attached you will find the
> image.
> Additional to that, the security message is missleading: For security reason
> only valid files of supported image formats...
> Responsible code can be found in: SecuredUploads.java (line 205) &
> DataServices.java (line 216)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
