Hi Jacques,
Thank You for the patch, it's working now
Regards,
Shrilesh K.
On Thu, Apr 15, 2021 at 10:34 PM Jacques Le Roux <jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>> wrote:
Hi Shrilesh,
I found the issue. I have attached a patch at
https://issues.apache.org/jira/browse/OFBIZ-12080
<https://issues.apache.org/jira/browse/OFBIZ-12080>
Please test on your side after applying the patch and confirm it's OK with
you
TIA
Jacques
Le 15/04/2021 à 17:48, Jacques Le Roux a écrit :
> Hi,
>
> This was not my question. I wanted to know if you set a value to
content.upload.path.prefix, if yes which one, maybe an URL (should not be
used in
> content.upload.path.prefix as the comment in content properties says).
>
> This mailing list does not accept attachments, but anyway if your file name is
"AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or
> AAAAJPJ1.png) then it can't work as the message says:
>
> << For security reason only valid files of supported image formats
(GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only
> Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and
extension not empty) and contents are accepted.>>
>
> This said, I have tried locally and it works for AAAAJPJ1.JPEG but
weirdly not on trunk demo indeed. I guess it's because I use Windows and the
> trunk trunk demo is on Ubuntu.
>
> I'll check that and will get back to you
>
> Thanks for reporting
>
> Jacques
>
> Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit :
>> Hi Guys,
>> Just say.. please use this URL
https://demo-trunk.ofbiz.apache.org/ecommerce/control/main
<https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>
>> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main
<https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>>, using profile page
of DemoCustomer user try to upload attached file
>> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
>>
>> Step 1: go-to the e-commerce website login as DemoCustomer
>> Step 2: go-to profile page find party content uploaded / File Manager
>> step 3: add/browse a file
>> step 4: Select Purpose - Internal Content/User Defined Content and click
to upload
>>
>>
>> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>
<mailto:jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>>> wrote:
>>
>> For instance, do you use an URL?
>>
>> Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
>> > Hi Shrilesh,
>> >
>> > It works for me with files named GCS_009.jpg and GCS_004.jpeg
>> >
>> > You mentioned content.upload.path.prefix. Did you set a value
there and if yes which one?
>> >
>> > Jacques
>> >
>> > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
>> >> Hi Jacques,
>> >>
>> >> Step 1: go-to the e-commerce website login as DemoCustomer
>> >> Step 2: go-to profile page find party content uploaded / File
Manager
>> >> step 3: add/browse a file
>> >> step 4: Select Purpose - Internal Content/User Defined Content
and click to upload
>> >>
>> >> you will get the same error
>> >> the file is getting uploaded but at the end of
>> >> *DataServices.groovy
>> >> ---> def attachUploadToDataResource()
>> >> ---> return
saveLocalFileDataResource(parameters.dataResourceTypeId)
>> >> ---> result = run service: "createAnonFile", with: fileCtx
>> >> ---> createFileNoPerm
>> >> ---> createFileMethod(dctx, context);
>> >> ---> if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text",
delegator))
>> >> ---> return ServiceUtil.returnError(errorMessage);*
>> >> Due to the issue I talked above
>> >>
>> >> I also uploaded that file which I'm using to upload on party
content uploaded
>> >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
>> >> And ScreenShots of the demo website and I also tried locally
>> >>
>> >> Regards,
>> >> Shrilesh K.
>> >>
>> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux
<jacques.le.r...@les7arts.com <mailto:jacques.le.r...@les7arts.com>
<mailto:jacques.le.r...@les7arts.com <mailto:jacques.le.r...@les7arts.com>>
>> <mailto:jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com> <mailto:jacques.le.r...@les7arts.com
<mailto:jacques.le.r...@les7arts.com>>>> wrote:
>> >>
>> >> Hi Shrilesh,
>> >>
>> >> In which cases exactly the file names are rejected (length,
name, etc.) ? We can also consider the content.upload.path.prefix
indeed...
>> >>
>> >> Jacques
>> >>
>> >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
>> >> > Hi Guys,
>> >> >
>> >> > While performing testing of
>> >> > https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746>
<https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746>>
>> <https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746>
<https://issues.apache.org/jira/browse/OFBIZ-10746
<https://issues.apache.org/jira/browse/OFBIZ-10746>>> issue reported a while
>> >> > back, I have noticed that if I try uploading a file it now
fails for
>> >> > different reasons as the file name is being considered
invalid
>> >> >
>> >> > At first glance, it looks like due to fixes introduced
recently due to
>> >> > below issues
>> >> > 1. Secure the uploads (OFBIZ-12080)
>> >> > 2. addImageForProduct fails (OFBIZ-12211)
>> >> >
>> >> > Of course, it could be bypassed for now by setting property
>> >> > *allowAllUploads=true
>> >> > *security.properties.
>> >> >
>> >> > However, was wondering if the below code block from class
>> >> > *SecuredUpload.java* should have allowed URLs that also
contain
>> >> > *content.upload.path.prefix* value? same as what is being
done for product
>> >> > image URLs.
>> >> >
>> >> >
>> >> >
>> >> > if (fileToCheck.length() > 4096) {
>> >> > Debug.logError("Uploaded file name too long", MODULE);
>> >> > return false;
>> >> > *} else if
(p.toString().contains(imageServerUrl)) {*
>> >> > if (file.matches("[a-zA-Z0-9-_
()]{1,4086}.[a-zA-Z0-9-_
>> >> > ]{1,10}")) { // "(" and ")" for duplicates files
>> >> > wrongFile = false;
>> >> > } else if (!file.matches("[a-zA-Z0-9-_
>> >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>> >> > wrongFile = false;
>> >> > }
>> >> > }
>> >> >
>> >> > Let me know what the thoughts are and if need be happy to
raise an issue so
>> >> > that it could be tracked
>> >> >
>> >> >
>> >> > Regards,
>> >> > Shrilesh K.
>> >>
>>