> Hi Jacques,
>
> Step 1: go-to the e-commerce website login as DemoCustomer
> Step 2: go-to profile page find party content uploaded / File Manager
> step 3: add/browse a file
> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>
> you will get the same error
> the file is getting uploaded but at the end of
> *DataServices.groovy
> ---> def attachUploadToDataResource()
> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
> ---> result = run service: "createAnonFile", with: fileCtx
> ---> createFileNoPerm
> ---> createFileMethod(dctx, context);
> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))
> ---> return ServiceUtil.returnError(errorMessage);*
> Due to the issue I talked above
>
> I also uploaded that file which I'm using to upload on party content uploaded
> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
> And ScreenShots of the demo website and I also tried locally
>
> Regards,
> Shrilesh K.
>
> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi Shrilesh,
>
>     In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed...
>
>     Jacques
>
>     Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
>     > Hi Guys,
>     >
>     > While performing testing of
>     > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> issue reported a while
>     > back, I have noticed that if I try uploading a file it now fails for
>     > different reasons as the file name is being considered invalid
>     >
>     > At first glance, it looks like due to fixes introduced recently due to
>     > below issues
>     > 1. Secure the uploads (OFBIZ-12080)
>     > 2. addImageForProduct fails (OFBIZ-12211)
>     >
>     > Of course, it could be bypassed for now by setting property
>     > *allowAllUploads=true
>     > *security.properties.
>     >
>     > However, was wondering if the below code block from class
>     > *SecuredUpload.java* should have allowed URLs that also contain
>     > *content.upload.path.prefix* value? same as what is being done for product
>     > image URLs.
>     >
>     >
>     >
>     > if (fileToCheck.length() > 4096) {
>     >                  Debug.logError("Uploaded file name too long", MODULE);
>     >                  return false;
>     >              *} else if (p.toString().contains(imageServerUrl)) {*
>     >                  if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
>     > ]{1,10}")) { // "(" and ")" for duplicates files
>     >                      wrongFile = false;
>     >                  } else if (!file.matches("[a-zA-Z0-9-_
>     > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>     >                      wrongFile = false;
>     >                  }
>     >              }
>     >
>     > Let me know what the thoughts are and if need be happy to raise an issue so
>     > that it could be tracked
>     >
>     >
>     > Regards,
>     > Shrilesh K.
>