OFBiz OFBiz - Commits

[ofbiz-framework] branch trunk updated: Fixed: addImageForProduct fails (OFBIZ-12211)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Fixed: addImageForProduct fails (OFBIZ-12211)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 76d6382  Fixed: addImageForProduct fails (OFBIZ-12211)
76d6382 is described below

commit 76d6382c81041c176095ef335fdd1f893716092b
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Mar 29 11:07:20 2021 +0200

    Fixed: addImageForProduct fails (OFBIZ-12211)
   
    The addImageForProduct  process is not directly uploading a file but renames it
    before.So there is a hyphen, and possibly a pair or parenthesis in case of
    duplicate files, added to the file name.
   
    In this commit I have also added the possibility to use underscores and spaces
    in the original filename
---
 framework/common/config/SecurityUiLabels.xml       | 10 ++++----
 .../org/apache/ofbiz/security/SecuredUpload.java   | 28 +++++++++++++++-------
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/framework/common/config/SecurityUiLabels.xml b/framework/common/config/SecurityUiLabels.xml
index c8da8b2..5d66d04 100644
--- a/framework/common/config/SecurityUiLabels.xml
+++ b/framework/common/config/SecurityUiLabels.xml
@@ -768,23 +768,23 @@
         <value xml:lang="zh-TW">SecurityViewPermissionError 你沒有權限檢視本頁面. (需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
     </property>
     <property key="SupportedFileFormatsIncludingSvg">
-        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only Alpha-Numeric characters, only 1 dot, name and extension not empty) and contents are accepted.</value>
+        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers SVG, PDF, et les fichiers ZIP ou texte avec des noms sûrs (uniquement des caractères alphanumériques, 1 seul point, nom et extension non vides) et aux contenus sûrs sont acceptés.</value>
     </property>
      <property key="SupportedFileFormats">
-        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), PDF or text files with safe names (only Alpha-Numeric characters, only 1 dot, name and extension not empty) and contents are accepted.</value>
+        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), PDF or text files with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers PDF ou les fichiers texte avec des noms sûrs (uniquement des caractères alphanumériques, 1 seul point, nom et extension non vides) et aux contenus sûrs sont acceptés.</value>
     </property>
     <property key="SupportedImageFormatsIncludingSvg">
-        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), or SVG format with safe names (only Alpha-Numeric characters, only 1 dot, name and extension not empty) are accepted.</value>
+        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), or SVG format with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides des formats d'image pris en charge (GIF, JPEG, PNG, TIFF) ou au format SVG avec des noms sûrs (uniquement des caractères alphanumériques, 1 seul point, nom et extension non vides) sont acceptés.</value>
     </property>
     <property key="SupportedImageFormats">
-        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF) with safe names (only Alpha-Numeric characters, only 1 dot, name and extension not empty) are accepted.</value>
+        <value xml:lang="en">For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF) with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers valides des formats d'image pris en charge (GIF, JPEG, PNG, TIFF) avec des noms sûrs (uniquement des caractères alphanumériques, 1 seul point, nom et extension non vides) sont acceptés.</value>
     </property>
     <property key="SupportedTextFileFormats">
-        <value xml:lang="en">For security reason only text files with safe names (only Alpha-Numeric characters, only 1 dot, name and extension not empty) and contents are accepted.</value>
+        <value xml:lang="en">For security reason only text files with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.</value>
         <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers texte dont les contenus et les noms sont sûrs (uniquement des caractères alphanumériques, 1 seul point, nom et extension non vides) sont acceptés</value>
     </property>
     <property key="UserLogin">
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index aa2ce62..95c562d 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -105,27 +105,37 @@ public class SecuredUpload {
             return true;
         }
 
+        String imageServerUrl = EntityUtilProperties.getPropertyValue("catalog", "image.management.url", delegator);
         Path p = Paths.get(fileToCheck);
         String file = p.getFileName().toString();
+        boolean wrongFile = true;
         if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
             if (fileToCheck.length() > 259) {
                 Debug.logError("Uploaded file name too long", MODULE);
                 return false;
-            } else if (!file.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
-                Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension."
-                        + "The file name and extension should not be empty at all",
-                        MODULE);
-                return false;
+            } else if (p.toString().contains(imageServerUrl.replaceAll("/", "\\\\"))) {
+                if (file.matches("[a-zA-Z0-9-_ ()]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files
+                    wrongFile = false;
+                } else if (!file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) {
+                    wrongFile = false;
+                }
             }
         } else {
             if (fileToCheck.length() > 4096) {
                 Debug.logError("Uploaded file name too long", MODULE);
                 return false;
-            } else if (!file.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+            } else if (p.toString().contains(imageServerUrl)) {
+                if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files
+                    wrongFile = false;
+                } else if (!file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
+                    wrongFile = false;
+                }
+            }
+            if (wrongFile) {
                 Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension."
-                        + "Tthe file name and extension should not be empty at all",
+                        + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces,"
+                        + " only 1 dot as an input for the file name and the extension."
+                        + "The file name and extension should not be empty at all",
                         MODULE);
                 return false;
             }
Free forum by Nabble Edit this page