Hi,
This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be used in
content.upload.path.prefix as the comment in content properties says).
This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or
AAAAJPJ1.png) then it can't work as the message says:
<< For security reason only valid files of supported image formats (GIF,
JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only
Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and
extension not empty) and contents are accepted.>>
This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the trunk
trunk demo is on Ubuntu.
I'll check that and will get back to you
Thanks for reporting
Jacques
Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit :
Hi Guys,
Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main
<https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using profile page of DemoCustomer user try to upload attached file
(AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
Step 1: go-to the e-commerce website login as DemoCustomer
Step 2: go-to profile page find party content uploaded / File Manager
step 3: add/browse a file
step 4: Select Purpose - Internal Content/User Defined Content and click to
upload
On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>> wrote:
For instance, do you use an URL?
Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
> Hi Shrilesh,
>
> It works for me with files named GCS_009.jpg and GCS_004.jpeg
>
> You mentioned content.upload.path.prefix. Did you set a value there and
if yes which one?
>
> Jacques
>
> Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
>> Hi Jacques,
>>
>> Step 1: go-to the e-commerce website login as DemoCustomer
>> Step 2: go-to profile page find party content uploaded / File Manager
>> step 3: add/browse a file
>> step 4: Select Purpose - Internal Content/User Defined Content and click
to upload
>>
>> you will get the same error
>> the file is getting uploaded but at the end of
>> *DataServices.groovy
>> ---> def attachUploadToDataResource()
>> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
>> ---> result = run service: "createAnonFile", with: fileCtx
>> ---> createFileNoPerm
>> ---> createFileMethod(dctx, context);
>> ---> if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text",
delegator))
>> ---> return ServiceUtil.returnError(errorMessage);*
>> Due to the issue I talked above
>>
>> I also uploaded that file which I'm using to upload on party content
uploaded
>> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
>> And ScreenShots of the demo website and I also tried locally
>>
>> Regards,
>> Shrilesh K.
>>
>> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>
<mailto:jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>>> wrote:
>>
>> Hi Shrilesh,
>>
>> In which cases exactly the file names are rejected (length, name,
etc.) ? We can also consider the content.upload.path.prefix indeed...
>>
>> Jacques
>>
>> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
>> > Hi Guys,
>> >
>> > While performing testing of
>> > https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746>
<https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while
>> > back, I have noticed that if I try uploading a file it now fails
for
>> > different reasons as the file name is being considered invalid
>> >
>> > At first glance, it looks like due to fixes introduced recently
due to
>> > below issues
>> > 1. Secure the uploads (OFBIZ-12080)
>> > 2. addImageForProduct fails (OFBIZ-12211)
>> >
>> > Of course, it could be bypassed for now by setting property
>> > *allowAllUploads=true
>> > *security.properties.
>> >
>> > However, was wondering if the below code block from class
>> > *SecuredUpload.java* should have allowed URLs that also contain
>> > *content.upload.path.prefix* value? same as what is being done for
product
>> > image URLs.
>> >
>> >
>> >
>> > if (fileToCheck.length() > 4096) {
>> > Debug.logError("Uploaded file name too long",
MODULE);
>> > return false;
>> > *} else if (p.toString().contains(imageServerUrl)) {*
>> > if (file.matches("[a-zA-Z0-9-_
()]{1,4086}.[a-zA-Z0-9-_
>> > ]{1,10}")) { // "(" and ")" for duplicates files
>> > wrongFile = false;
>> > } else if (!file.matches("[a-zA-Z0-9-_
>> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>> > wrongFile = false;
>> > }
>> > }
>> >
>> > Let me know what the thoughts are and if need be happy to raise an
issue so
>> > that it could be tracked
>> >
>> >
>> > Regards,
>> > Shrilesh K.
>>
