[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 1e3148c  Fixed: Secure the uploads (OFBIZ-12080)
1e3148c is described below

commit 1e3148c3a86e382406b2893cac24ddd11442124f
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Apr 16 09:22:45 2021 +0200

    Fixed: Secure the uploads (OFBIZ-12080)
   
    Reopened after report of a bug (only on *nix systems) by Shrilesh Korgaonkar.
    This fixes the issue
   
    Thanks: Shrilesh Korgaonkar
---
 .../org/apache/ofbiz/security/SecuredUpload.java   | 27 +++++++++++-----------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 95c562d..904b64c 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -116,29 +116,30 @@ public class SecuredUpload {
             } else if (p.toString().contains(imageServerUrl.replaceAll("/", "\\\\"))) {
                 if (file.matches("[a-zA-Z0-9-_ ()]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files
                     wrongFile = false;
-                } else if (!file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) {
-                    wrongFile = false;
                 }
+            } else if (file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) {
+                wrongFile = false;
             }
-        } else {
+        } else { // Suppose a *nix system
             if (fileToCheck.length() > 4096) {
                 Debug.logError("Uploaded file name too long", MODULE);
                 return false;
             } else if (p.toString().contains(imageServerUrl)) {
                 if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files
                     wrongFile = false;
-                } else if (!file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
-                    wrongFile = false;
                 }
+            } else if (file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
+                wrongFile = false;
             }
-            if (wrongFile) {
-                Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces,"
-                        + " only 1 dot as an input for the file name and the extension."
-                        + "The file name and extension should not be empty at all",
-                        MODULE);
-                return false;
-            }
+        }
+
+        if (wrongFile) {
+            Debug.logError("Uploaded file "
+                    + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces,"
+                    + " only 1 dot as an input for the file name and the extension."
+                    + "The file name and extension should not be empty at all",
+                    MODULE);
+            return false;
         }
 
         if (isExecutable(fileToCheck)) {