[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1b9784d  Fixed: Secure the uploads (OFBIZ-12080)
1b9784d is described below

commit 1b9784dcdf1f0834d32113e51807afe190c6dc4b
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sun Dec 6 11:16:44 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
   
    Improves the labels names and format comment in LayoutEvents.java
   
    I backport to ease later works...
---
 .../src/main/java/org/apache/ofbiz/content/data/DataServices.java | 8 ++++----
 .../main/java/org/apache/ofbiz/content/layout/LayoutEvents.java   | 3 +--
 .../java/org/apache/ofbiz/product/imagemanagement/FrameImage.java | 2 +-
 framework/common/config/SecurityUiLabels.xml                      | 4 ++--
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 5b0bdce..4e8e23c 100644
--- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -264,7 +264,7 @@ public class DataServices {
                 out.close();
                 // Check if a webshell is not uploaded
                 if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) {
-                    String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileIncludingSvgFormats", locale);
+                    String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
 
@@ -465,7 +465,7 @@ public class DataServices {
                     out.close();
                     // Check if a webshell is not uploaded
                     if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) {
-                        String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileIncludingSvgFormats", locale);
+                        String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale);
                         return ServiceUtil.returnError(errorMessage);
                     }
                 } catch (FileNotFoundException | ImageReadException e) {
@@ -629,7 +629,7 @@ public class DataServices {
                 out.write(imageData);
                 // Check if a webshell is not uploaded
                 if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) {
-                    String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileIncludingSvgFormats", locale);
+                    String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
                 if (Debug.infoOn()) {
@@ -692,7 +692,7 @@ public class DataServices {
                 out.write(imageData);
                 // Check if a webshell is not uploaded
                 if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) {
-                    String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileIncludingSvgFormats", locale);
+                    String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
 
diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java b/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
index 3507bf0..1adad0f 100644
--- a/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
+++ b/applications/content/src/main/java/org/apache/ofbiz/content/layout/LayoutEvents.java
@@ -143,8 +143,7 @@ public class LayoutEvents {
             }
 
             GenericValue dataResource = EntityQuery.use(delegator).from("DataResource").where("dataResourceId", dataResourceId).queryOne();
-            // Use objectInfo field to store the name of the file, since there is no
-            // place in ImageDataResource for it.
+            // Use objectInfo field to store the name of the file, since there is no place in ImageDataResource for it.
             if (dataResource != null) {
                 dataResource.set("objectInfo", imageFileName);
                 dataResource.set("mimeTypeId", mimeTypeId);
diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index 90125c9..217b855 100644
--- a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++ b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -311,7 +311,7 @@ public class FrameImage {
             out.write(imageData.array());
             out.close();
             if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Image", delegator)) {
-                String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileIncludingSvgFormats", locale);
+                String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale);
                 request.setAttribute("_ERROR_MESSAGE_", errorMessage);
                 return "error";
             }
diff --git a/framework/common/config/SecurityUiLabels.xml b/framework/common/config/SecurityUiLabels.xml
index bb03b92..7c31dce 100644
--- a/framework/common/config/SecurityUiLabels.xml
+++ b/framework/common/config/SecurityUiLabels.xml
@@ -774,7 +774,7 @@
         <value xml:lang="zh">SecurityViewPermissionError 你没有权限浏览本页面。 (需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
         <value xml:lang="zh-TW">SecurityViewPermissionError 你沒有權限檢視本頁面. (需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
     </property>
-    <property key="SupportedFileIncludingSvgFormats">
+    <property key="SupportedFileFormatsIncludingSvg">
         <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe contents are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers SVG, PDF, et les fichiers ZIP ou texte aux contenus sûrs sont acceptés.</value>
     </property>
@@ -782,7 +782,7 @@
         <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), PDF or text files with safe contents are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers PDF ou les fichiers texte aux contenus sûrs sont acceptés.</value>
     </property>
-    <property key="SupportedImageFormatseIncludingSvg">
+    <property key="SupportedImageFormatsIncludingSvg">
         <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), or SVG format are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides des formats d'image pris en charge (GIF, JPEG, PNG, TIFF) ou au format SVG sont acceptés.</value>
     </property>