OFBiz OFBiz - User
Login  Register

Re: Not able to upload party content using trunk ecommerce

Posted by Shrilesh Korgaonkar on Apr 15, 2021; 8:07am
URL: http://ofbiz.116.s1.nabble.com/Not-able-to-upload-party-content-using-trunk-ecommerce-tp4767940p4767947.html

Hi Jacques,

Step 1: go-to the e-commerce website login as DemoCustomer
Step 2: go-to profile page find party content uploaded / File Manager
step 3: add/browse a file 
step 4: Select Purpose - Internal Content/User Defined Content and click to upload

you will get the same error
the file is getting uploaded but at the end of
DataServices.groovy
---> def attachUploadToDataResource()
---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
---> result = run service: "createAnonFile", with: fileCtx
---> createFileNoPerm
---> createFileMethod(dctx, context);
---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))
---> return ServiceUtil.returnError(errorMessage);
Due to the issue I talked above

I also uploaded that file which I'm using to upload on party content uploaded
name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
And ScreenShots of the demo website and I also tried locally

Regards,
Shrilesh K.

On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email]> wrote:
Hi Shrilesh,

In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed...

Jacques

Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
> Hi Guys,
>
> While performing testing of
> https://issues.apache.org/jira/browse/OFBIZ-10746 issue reported a while
> back, I have noticed that if I try uploading a file it now fails for
> different reasons as the file name is being considered invalid
>
> At first glance, it looks like due to fixes introduced recently due to
> below issues
> 1. Secure the uploads (OFBIZ-12080)
> 2. addImageForProduct fails (OFBIZ-12211)
>
> Of course, it could be bypassed for now by setting property
> *allowAllUploads=true
> *security.properties.
>
> However, was wondering if the below code block from class
> *SecuredUpload.java* should have allowed URLs that also contain
> *content.upload.path.prefix* value? same as what is being done for product
> image URLs.
>
>
>
> if (fileToCheck.length() > 4096) {
>                  Debug.logError("Uploaded file name too long", MODULE);
>                  return false;
>              *} else if (p.toString().contains(imageServerUrl)) {*
>                  if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
> ]{1,10}")) { // "(" and ")" for duplicates files
>                      wrongFile = false;
>                  } else if (!file.matches("[a-zA-Z0-9-_
> ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>                      wrongFile = false;
>                  }
>              }
>
> Let me know what the thoughts are and if need be happy to raise an issue so
> that it could be tracked
>
>
> Regards,
> Shrilesh K.

Free forum by Nabble Edit this page