Hi Shrilesh, In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed...
Jacques Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
Hi Guys, While performing testing of https://issues.apache.org/jira/browse/OFBIZ-10746 issue reported a while back, I have noticed that if I try uploading a file it now fails for different reasons as the file name is being considered invalid At first glance, it looks like due to fixes introduced recently due to below issues 1. Secure the uploads (OFBIZ-12080) 2. addImageForProduct fails (OFBIZ-12211) Of course, it could be bypassed for now by setting property *allowAllUploads=true *security.properties. However, was wondering if the below code block from class *SecuredUpload.java* should have allowed URLs that also contain *content.upload.path.prefix* value? same as what is being done for product image URLs. if (fileToCheck.length() > 4096) { Debug.logError("Uploaded file name too long", MODULE); return false; *} else if (p.toString().contains(imageServerUrl)) {* if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files wrongFile = false; } else if (!file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { wrongFile = false; } } Let me know what the thoughts are and if need be happy to raise an issue so that it could be tracked Regards, Shrilesh K.
