For instance, do you use an URL?
Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
Hi Shrilesh,
It works for me with files named GCS_009.jpg and GCS_004.jpeg
You mentioned content.upload.path.prefix. Did you set a value there and if yes
which one?
Jacques
Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
Hi Jacques,
Step 1: go-to the e-commerce website login as DemoCustomer
Step 2: go-to profile page find party content uploaded / File Manager
step 3: add/browse a file
step 4: Select Purpose - Internal Content/User Defined Content and click to
upload
you will get the same error
the file is getting uploaded but at the end of
*DataServices.groovy
---> def attachUploadToDataResource()
---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
---> result = run service: "createAnonFile", with: fileCtx
---> createFileNoPerm
---> createFileMethod(dctx, context);
---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Text", delegator))
---> return ServiceUtil.returnError(errorMessage);*
Due to the issue I talked above
I also uploaded that file which I'm using to upload on party content uploaded
name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
And ScreenShots of the demo website and I also tried locally
Regards,
Shrilesh K.
On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>> wrote:
Hi Shrilesh,
In which cases exactly the file names are rejected (length, name, etc.) ?
We can also consider the content.upload.path.prefix indeed...
Jacques
Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
> Hi Guys,
>
> While performing testing of
> https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746> issue reported a while
> back, I have noticed that if I try uploading a file it now fails for
> different reasons as the file name is being considered invalid
>
> At first glance, it looks like due to fixes introduced recently due to
> below issues
> 1. Secure the uploads (OFBIZ-12080)
> 2. addImageForProduct fails (OFBIZ-12211)
>
> Of course, it could be bypassed for now by setting property
> *allowAllUploads=true
> *security.properties.
>
> However, was wondering if the below code block from class
> *SecuredUpload.java* should have allowed URLs that also contain
> *content.upload.path.prefix* value? same as what is being done for product
> image URLs.
>
>
>
> if (fileToCheck.length() > 4096) {
> Debug.logError("Uploaded file name too long", MODULE);
> return false;
> *} else if (p.toString().contains(imageServerUrl)) {*
> if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
> ]{1,10}")) { // "(" and ")" for duplicates files
> wrongFile = false;
> } else if (!file.matches("[a-zA-Z0-9-_
> ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
> wrongFile = false;
> }
> }
>
> Let me know what the thoughts are and if need be happy to raise an issue
so
> that it could be tracked
>
>
> Regards,
> Shrilesh K.
