Not able to upload party content using trunk ecommerce
Locked
Not able to upload party content using trunk ecommerce
 
|
Hi Guys,
While performing testing of https://issues.apache.org/jira/browse/OFBIZ-10746 issue reported a while back, I have noticed that if I try uploading a file it now fails for different reasons as the file name is being considered invalid At first glance, it looks like due to fixes introduced recently due to below issues 1. Secure the uploads (OFBIZ-12080) 2. addImageForProduct fails (OFBIZ-12211) Of course, it could be bypassed for now by setting property *allowAllUploads=true *security.properties. However, was wondering if the below code block from class *SecuredUpload.java* should have allowed URLs that also contain *content.upload.path.prefix* value? same as what is being done for product image URLs. if (fileToCheck.length() > 4096) { Debug.logError("Uploaded file name too long", MODULE); return false; *} else if (p.toString().contains(imageServerUrl)) {* if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files wrongFile = false; } else if (!file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { wrongFile = false; } } Let me know what the thoughts are and if need be happy to raise an issue so that it could be tracked Regards, Shrilesh K. |
Re: Not able to upload party content using trunk ecommerce
Administrator
|
Hi Shrilesh,
In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed... Jacques Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > Hi Guys, > > While performing testing of > https://issues.apache.org/jira/browse/OFBIZ-10746 issue reported a while > back, I have noticed that if I try uploading a file it now fails for > different reasons as the file name is being considered invalid > > At first glance, it looks like due to fixes introduced recently due to > below issues > 1. Secure the uploads (OFBIZ-12080) > 2. addImageForProduct fails (OFBIZ-12211) > > Of course, it could be bypassed for now by setting property > *allowAllUploads=true > *security.properties. > > However, was wondering if the below code block from class > *SecuredUpload.java* should have allowed URLs that also contain > *content.upload.path.prefix* value? same as what is being done for product > image URLs. > > > > if (fileToCheck.length() > 4096) { > Debug.logError("Uploaded file name too long", MODULE); > return false; > *} else if (p.toString().contains(imageServerUrl)) {* > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ > ]{1,10}")) { // "(" and ")" for duplicates files > wrongFile = false; > } else if (!file.matches("[a-zA-Z0-9-_ > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > wrongFile = false; > } > } > > Let me know what the thoughts are and if need be happy to raise an issue so > that it could be tracked > > > Regards, > Shrilesh K. |
Re: Not able to upload party content using trunk ecommerce
|
|
Hi Jacques, Step 1: go-to the e-commerce website login as DemoCustomer Step 2: go-to profile page find party content uploaded / File Manager step 3: add/browse a file step 4: Select Purpose - Internal Content/User Defined Content and click to upload you will get the same error the file is getting uploaded but at the end of DataServices.groovy ---> def attachUploadToDataResource() ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) ---> result = run service: "createAnonFile", with: fileCtx ---> createFileNoPerm ---> createFileMethod(dctx, context); ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) ---> return ServiceUtil.returnError(errorMessage); Due to the issue I talked above I also uploaded that file which I'm using to upload on party content uploaded name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) And ScreenShots of the demo website and I also tried locally Regards, Shrilesh K. On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email]> wrote: Hi Shrilesh, |
Re: Not able to upload party content using trunk ecommerce
|
Administrator
|
Hi Shrilesh,
It works for me with files named GCS_009.jpg and GCS_004.jpeg You mentioned content.upload.path.prefix. Did you set a value there and if yes which one? Jacques Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : > Hi Jacques, > > Step 1: go-to the e-commerce website login as DemoCustomer > Step 2: go-to profile page find party content uploaded / File Manager > step 3: add/browse a file > step 4: Select Purpose - Internal Content/User Defined Content and click to upload > > you will get the same error > the file is getting uploaded but at the end of > *DataServices.groovy > ---> def attachUploadToDataResource() > ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) > ---> result = run service: "createAnonFile", with: fileCtx > ---> createFileNoPerm > ---> createFileMethod(dctx, context); > ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) > ---> return ServiceUtil.returnError(errorMessage);* > Due to the issue I talked above > > I also uploaded that file which I'm using to upload on party content uploaded > name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) > And ScreenShots of the demo website and I also tried locally > > Regards, > Shrilesh K. > > On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote: > > Hi Shrilesh, > > In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed... > > Jacques > > Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > > Hi Guys, > > > > While performing testing of > > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> issue reported a while > > back, I have noticed that if I try uploading a file it now fails for > > different reasons as the file name is being considered invalid > > > > At first glance, it looks like due to fixes introduced recently due to > > below issues > > 1. Secure the uploads (OFBIZ-12080) > > 2. addImageForProduct fails (OFBIZ-12211) > > > > Of course, it could be bypassed for now by setting property > > *allowAllUploads=true > > *security.properties. > > > > However, was wondering if the below code block from class > > *SecuredUpload.java* should have allowed URLs that also contain > > *content.upload.path.prefix* value? same as what is being done for product > > image URLs. > > > > > > > > if (fileToCheck.length() > 4096) { > > Debug.logError("Uploaded file name too long", MODULE); > > return false; > > *} else if (p.toString().contains(imageServerUrl)) {* > > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ > > ]{1,10}")) { // "(" and ")" for duplicates files > > wrongFile = false; > > } else if (!file.matches("[a-zA-Z0-9-_ > > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > > wrongFile = false; > > } > > } > > > > Let me know what the thoughts are and if need be happy to raise an issue so > > that it could be tracked > > > > > > Regards, > > Shrilesh K. > |
Re: Not able to upload party content using trunk ecommerce
|
Administrator
|
For instance, do you use an URL?
Le 15/04/2021 à 11:20, Jacques Le Roux a écrit : > Hi Shrilesh, > > It works for me with files named GCS_009.jpg and GCS_004.jpeg > > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one? > > Jacques > > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : >> Hi Jacques, >> >> Step 1: go-to the e-commerce website login as DemoCustomer >> Step 2: go-to profile page find party content uploaded / File Manager >> step 3: add/browse a file >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload >> >> you will get the same error >> the file is getting uploaded but at the end of >> *DataServices.groovy >> ---> def attachUploadToDataResource() >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) >> ---> result = run service: "createAnonFile", with: fileCtx >> ---> createFileNoPerm >> ---> createFileMethod(dctx, context); >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) >> ---> return ServiceUtil.returnError(errorMessage);* >> Due to the issue I talked above >> >> I also uploaded that file which I'm using to upload on party content uploaded >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) >> And ScreenShots of the demo website and I also tried locally >> >> Regards, >> Shrilesh K. >> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote: >> >> Hi Shrilesh, >> >> In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed... >> >> Jacques >> >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : >> > Hi Guys, >> > >> > While performing testing of >> > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> issue reported a while >> > back, I have noticed that if I try uploading a file it now fails for >> > different reasons as the file name is being considered invalid >> > >> > At first glance, it looks like due to fixes introduced recently due to >> > below issues >> > 1. Secure the uploads (OFBIZ-12080) >> > 2. addImageForProduct fails (OFBIZ-12211) >> > >> > Of course, it could be bypassed for now by setting property >> > *allowAllUploads=true >> > *security.properties. >> > >> > However, was wondering if the below code block from class >> > *SecuredUpload.java* should have allowed URLs that also contain >> > *content.upload.path.prefix* value? same as what is being done for product >> > image URLs. >> > >> > >> > >> > if (fileToCheck.length() > 4096) { >> > Debug.logError("Uploaded file name too long", MODULE); >> > return false; >> > *} else if (p.toString().contains(imageServerUrl)) {* >> > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ >> > ]{1,10}")) { // "(" and ")" for duplicates files >> > wrongFile = false; >> > } else if (!file.matches("[a-zA-Z0-9-_ >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { >> > wrongFile = false; >> > } >> > } >> > >> > Let me know what the thoughts are and if need be happy to raise an issue so >> > that it could be tracked >> > >> > >> > Regards, >> > Shrilesh K. >> |
Re: Not able to upload party content using trunk ecommerce
|
|
Hi Guys, Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main, using profile page of DemoCustomer user try to upload attached file (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any Step 1: go-to the e-commerce website login as DemoCustomer Step 2: go-to profile page find party content uploaded / File Manager step 3: add/browse a file step 4: Select Purpose - Internal Content/User Defined Content and click to upload On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email]> wrote: For instance, do you use an URL? |
Re: Not able to upload party content using trunk ecommerce
|
Administrator
|
Hi,
This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be used in content.upload.path.prefix as the comment in content properties says). This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or AAAAJPJ1.png) then it can't work as the message says: << For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>> This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the trunk trunk demo is on Ubuntu. I'll check that and will get back to you Thanks for reporting Jacques Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit : > Hi Guys, > Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main > <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using profile page of DemoCustomer user try to upload attached file > (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any > > Step 1: go-to the e-commerce website login as DemoCustomer > Step 2: go-to profile page find party content uploaded / File Manager > step 3: add/browse a file > step 4: Select Purpose - Internal Content/User Defined Content and click to upload > > > On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote: > > For instance, do you use an URL? > > Le 15/04/2021 à 11:20, Jacques Le Roux a écrit : > > Hi Shrilesh, > > > > It works for me with files named GCS_009.jpg and GCS_004.jpeg > > > > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one? > > > > Jacques > > > > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : > >> Hi Jacques, > >> > >> Step 1: go-to the e-commerce website login as DemoCustomer > >> Step 2: go-to profile page find party content uploaded / File Manager > >> step 3: add/browse a file > >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload > >> > >> you will get the same error > >> the file is getting uploaded but at the end of > >> *DataServices.groovy > >> ---> def attachUploadToDataResource() > >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) > >> ---> result = run service: "createAnonFile", with: fileCtx > >> ---> createFileNoPerm > >> ---> createFileMethod(dctx, context); > >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) > >> ---> return ServiceUtil.returnError(errorMessage);* > >> Due to the issue I talked above > >> > >> I also uploaded that file which I'm using to upload on party content uploaded > >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) > >> And ScreenShots of the demo website and I also tried locally > >> > >> Regards, > >> Shrilesh K. > >> > >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]> > <mailto:[hidden email] <mailto:[hidden email]>>> wrote: > >> > >> Hi Shrilesh, > >> > >> In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed... > >> > >> Jacques > >> > >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > >> > Hi Guys, > >> > > >> > While performing testing of > >> > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> > <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while > >> > back, I have noticed that if I try uploading a file it now fails for > >> > different reasons as the file name is being considered invalid > >> > > >> > At first glance, it looks like due to fixes introduced recently due to > >> > below issues > >> > 1. Secure the uploads (OFBIZ-12080) > >> > 2. addImageForProduct fails (OFBIZ-12211) > >> > > >> > Of course, it could be bypassed for now by setting property > >> > *allowAllUploads=true > >> > *security.properties. > >> > > >> > However, was wondering if the below code block from class > >> > *SecuredUpload.java* should have allowed URLs that also contain > >> > *content.upload.path.prefix* value? same as what is being done for product > >> > image URLs. > >> > > >> > > >> > > >> > if (fileToCheck.length() > 4096) { > >> > Debug.logError("Uploaded file name too long", MODULE); > >> > return false; > >> > *} else if (p.toString().contains(imageServerUrl)) {* > >> > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ > >> > ]{1,10}")) { // "(" and ")" for duplicates files > >> > wrongFile = false; > >> > } else if (!file.matches("[a-zA-Z0-9-_ > >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > >> > wrongFile = false; > >> > } > >> > } > >> > > >> > Let me know what the thoughts are and if need be happy to raise an issue so > >> > that it could be tracked > >> > > >> > > >> > Regards, > >> > Shrilesh K. > >> > |
Re: Not able to upload party content using trunk ecommerce
|
Administrator
|
Hi Shrilesh,
I found the issue. I have attached a patch at https://issues.apache.org/jira/browse/OFBIZ-12080 Please test on your side after applying the patch and confirm it's OK with you TIA Jacques Le 15/04/2021 à 17:48, Jacques Le Roux a écrit : > Hi, > > This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be used in > content.upload.path.prefix as the comment in content properties says). > > This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or > AAAAJPJ1.png) then it can't work as the message says: > > << For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only > Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>> > > This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the > trunk trunk demo is on Ubuntu. > > I'll check that and will get back to you > > Thanks for reporting > > Jacques > > Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit : >> Hi Guys, >> Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main >> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using profile page of DemoCustomer user try to upload attached file >> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any >> >> Step 1: go-to the e-commerce website login as DemoCustomer >> Step 2: go-to profile page find party content uploaded / File Manager >> step 3: add/browse a file >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload >> >> >> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote: >> >> For instance, do you use an URL? >> >> Le 15/04/2021 à 11:20, Jacques Le Roux a écrit : >> > Hi Shrilesh, >> > >> > It works for me with files named GCS_009.jpg and GCS_004.jpeg >> > >> > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one? >> > >> > Jacques >> > >> > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : >> >> Hi Jacques, >> >> >> >> Step 1: go-to the e-commerce website login as DemoCustomer >> >> Step 2: go-to profile page find party content uploaded / File Manager >> >> step 3: add/browse a file >> >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload >> >> >> >> you will get the same error >> >> the file is getting uploaded but at the end of >> >> *DataServices.groovy >> >> ---> def attachUploadToDataResource() >> >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) >> >> ---> result = run service: "createAnonFile", with: fileCtx >> >> ---> createFileNoPerm >> >> ---> createFileMethod(dctx, context); >> >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) >> >> ---> return ServiceUtil.returnError(errorMessage);* >> >> Due to the issue I talked above >> >> >> >> I also uploaded that file which I'm using to upload on party content uploaded >> >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) >> >> And ScreenShots of the demo website and I also tried locally >> >> >> >> Regards, >> >> Shrilesh K. >> >> >> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]> >> <mailto:[hidden email] <mailto:[hidden email]>>> wrote: >> >> >> >> Hi Shrilesh, >> >> >> >> In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed... >> >> >> >> Jacques >> >> >> >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : >> >> > Hi Guys, >> >> > >> >> > While performing testing of >> >> > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> >> <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while >> >> > back, I have noticed that if I try uploading a file it now fails for >> >> > different reasons as the file name is being considered invalid >> >> > >> >> > At first glance, it looks like due to fixes introduced recently due to >> >> > below issues >> >> > 1. Secure the uploads (OFBIZ-12080) >> >> > 2. addImageForProduct fails (OFBIZ-12211) >> >> > >> >> > Of course, it could be bypassed for now by setting property >> >> > *allowAllUploads=true >> >> > *security.properties. >> >> > >> >> > However, was wondering if the below code block from class >> >> > *SecuredUpload.java* should have allowed URLs that also contain >> >> > *content.upload.path.prefix* value? same as what is being done for product >> >> > image URLs. >> >> > >> >> > >> >> > >> >> > if (fileToCheck.length() > 4096) { >> >> > Debug.logError("Uploaded file name too long", MODULE); >> >> > return false; >> >> > *} else if (p.toString().contains(imageServerUrl)) {* >> >> > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ >> >> > ]{1,10}")) { // "(" and ")" for duplicates files >> >> > wrongFile = false; >> >> > } else if (!file.matches("[a-zA-Z0-9-_ >> >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { >> >> > wrongFile = false; >> >> > } >> >> > } >> >> > >> >> > Let me know what the thoughts are and if need be happy to raise an issue so >> >> > that it could be tracked >> >> > >> >> > >> >> > Regards, >> >> > Shrilesh K. >> >> >> |
Re: Not able to upload party content using trunk ecommerce
|
|
Hi Jacques, Thank You for the patch, it's working now Regards, Shrilesh K. On Thu, Apr 15, 2021 at 10:34 PM Jacques Le Roux <[hidden email]> wrote: Hi Shrilesh, |
Re: Not able to upload party content using trunk ecommerce
|
Administrator
|
Thanks Shrilesh,
Fixed Jacques Le 16/04/2021 à 08:25, Shrilesh Korgaonkar a écrit : > Hi Jacques, > > Thank You for the patch, it's working now > > Regards, > Shrilesh K. > > On Thu, Apr 15, 2021 at 10:34 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote: > > Hi Shrilesh, > > I found the issue. I have attached a patch at https://issues.apache.org/jira/browse/OFBIZ-12080 <https://issues.apache.org/jira/browse/OFBIZ-12080> > > Please test on your side after applying the patch and confirm it's OK with you > > TIA > > Jacques > > Le 15/04/2021 à 17:48, Jacques Le Roux a écrit : > > Hi, > > > > This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be > used in > > content.upload.path.prefix as the comment in content properties says). > > > > This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or > > AAAAJPJ1.png) then it can't work as the message says: > > > > << For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only > > Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>> > > > > This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the > > trunk trunk demo is on Ubuntu. > > > > I'll check that and will get back to you > > > > Thanks for reporting > > > > Jacques > > > > Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit : > >> Hi Guys, > >> Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main > <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main> > >> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>>, using profile page > of DemoCustomer user try to upload attached file > >> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any > >> > >> Step 1: go-to the e-commerce website login as DemoCustomer > >> Step 2: go-to profile page find party content uploaded / File Manager > >> step 3: add/browse a file > >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload > >> > >> > >> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]> > <mailto:[hidden email] <mailto:[hidden email]>>> wrote: > >> > >> For instance, do you use an URL? > >> > >> Le 15/04/2021 à 11:20, Jacques Le Roux a écrit : > >> > Hi Shrilesh, > >> > > >> > It works for me with files named GCS_009.jpg and GCS_004.jpeg > >> > > >> > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one? > >> > > >> > Jacques > >> > > >> > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit : > >> >> Hi Jacques, > >> >> > >> >> Step 1: go-to the e-commerce website login as DemoCustomer > >> >> Step 2: go-to profile page find party content uploaded / File Manager > >> >> step 3: add/browse a file > >> >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload > >> >> > >> >> you will get the same error > >> >> the file is getting uploaded but at the end of > >> >> *DataServices.groovy > >> >> ---> def attachUploadToDataResource() > >> >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) > >> >> ---> result = run service: "createAnonFile", with: fileCtx > >> >> ---> createFileNoPerm > >> >> ---> createFileMethod(dctx, context); > >> >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) > >> >> ---> return ServiceUtil.returnError(errorMessage);* > >> >> Due to the issue I talked above > >> >> > >> >> I also uploaded that file which I'm using to upload on party content uploaded > >> >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) > >> >> And ScreenShots of the demo website and I also tried locally > >> >> > >> >> Regards, > >> >> Shrilesh K. > >> >> > >> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]> > <mailto:[hidden email] <mailto:[hidden email]>> > >> <mailto:[hidden email] <mailto:[hidden email]> <mailto:[hidden email] > <mailto:[hidden email]>>>> wrote: > >> >> > >> >> Hi Shrilesh, > >> >> > >> >> In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix > indeed... > >> >> > >> >> Jacques > >> >> > >> >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > >> >> > Hi Guys, > >> >> > > >> >> > While performing testing of > >> >> > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> > <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>> > >> <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> > <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>>> issue reported a while > >> >> > back, I have noticed that if I try uploading a file it now fails for > >> >> > different reasons as the file name is being considered invalid > >> >> > > >> >> > At first glance, it looks like due to fixes introduced recently due to > >> >> > below issues > >> >> > 1. Secure the uploads (OFBIZ-12080) > >> >> > 2. addImageForProduct fails (OFBIZ-12211) > >> >> > > >> >> > Of course, it could be bypassed for now by setting property > >> >> > *allowAllUploads=true > >> >> > *security.properties. > >> >> > > >> >> > However, was wondering if the below code block from class > >> >> > *SecuredUpload.java* should have allowed URLs that also contain > >> >> > *content.upload.path.prefix* value? same as what is being done for product > >> >> > image URLs. > >> >> > > >> >> > > >> >> > > >> >> > if (fileToCheck.length() > 4096) { > >> >> > Debug.logError("Uploaded file name too long", MODULE); > >> >> > return false; > >> >> > *} else if (p.toString().contains(imageServerUrl)) {* > >> >> > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ > >> >> > ]{1,10}")) { // "(" and ")" for duplicates files > >> >> > wrongFile = false; > >> >> > } else if (!file.matches("[a-zA-Z0-9-_ > >> >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > >> >> > wrongFile = false; > >> >> > } > >> >> > } > >> >> > > >> >> > Let me know what the thoughts are and if need be happy to raise an issue so > >> >> > that it could be tracked > >> >> > > >> >> > > >> >> > Regards, > >> >> > Shrilesh K. > >> >> > >> > |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |