[jira] [Commented] (OFBIZ-12639) Upload image size issue

Mon, 21 Aug 2023 10:31:05 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17757034#comment-17757034
 ] 

Jacques Le Roux commented on OFBIZ-12639:
-----------------------------------------

Hi Ingo,

First, as you may have noticed, SecuredUpload::isValidFile is used in several 
different situations, not only in ContentManagementServices, and also has not 
been built in one pass. That may help understand its first glance complexity, 
which is actually not really one :)

I'm not sure which upload method you are talking about. It looks like using the 
imageData from context is something I did not spot in 
ContentManagementServices::persistDataResourceAndDataMethod or maybe I tought 
the "imageData" was already sanitised.

Anyway I understand what you are doing with your initial patch and that sounds 
like the way to go in, at least, the  case. BTW I think we could then get rid 
of ContentManagementServices::validateUploadedFile as already commented.

DataServices and EbayStore classes should not be concerned since 
persistDataResourceAndDataMethod should have sanitised imageData. Something to 
check though...


I tend to agree with you with unnecessarily sanitising scaled images. Of course 
something to check ;)

> Upload image size issue
> -----------------------
>
>                 Key: OFBIZ-12639
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12639
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: product/catalog
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Priority: Major
>         Attachments: 40000054.png, RerenderPatch_notready.patch, test.jpeg
>
>
> I tied to uploaded an Image > 3MB and it fails as the line length > 10000
> Does this security check make sense for images? Attached you will find the 
> image.
> Additional to that, the security message is missleading: For security reason 
> only valid files of supported image formats...
> Responsible code can be found in: SecuredUploads.java (line 205) & 
> DataServices.java (line 216)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to