[ https://issues.apache.org/jira/browse/OFBIZ-12639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17757034#comment-17757034 ]
Jacques Le Roux commented on OFBIZ-12639: ----------------------------------------- Hi Ingo, First, as you may have noticed, SecuredUpload::isValidFile is used in several different situations, not only in ContentManagementServices, and also has not been built in one pass. That may help understand its first glance complexity, which is actually not really one :) I'm not sure which upload method you are talking about. It looks like using the imageData from context is something I did not spot in ContentManagementServices::persistDataResourceAndDataMethod or maybe I tought the "imageData" was already sanitised. Anyway I understand what you are doing with your initial patch and that sounds like the way to go in, at least, the case. BTW I think we could then get rid of ContentManagementServices::validateUploadedFile as already commented. DataServices and EbayStore classes should not be concerned since persistDataResourceAndDataMethod should have sanitised imageData. Something to check though... I tend to agree with you with unnecessarily sanitising scaled images. Of course something to check ;) > Upload image size issue > ----------------------- > > Key: OFBIZ-12639 > URL: https://issues.apache.org/jira/browse/OFBIZ-12639 > Project: OFBiz > Issue Type: Improvement > Components: product/catalog > Affects Versions: Upcoming Branch > Reporter: Ingo Wolfmayr > Priority: Major > Attachments: 40000054.png, RerenderPatch_notready.patch, test.jpeg > > > I tied to uploaded an Image > 3MB and it fails as the line length > 10000 > Does this security check make sense for images? Attached you will find the > image. > Additional to that, the security message is missleading: For security reason > only valid files of supported image formats... > Responsible code can be found in: SecuredUploads.java (line 205) & > DataServices.java (line 216) -- This message was sent by Atlassian Jira (v8.20.10#820010)