OFBiz - Re: Not able to upload party content using trunk ecommerce

OFBiz › OFBiz - User

Re: Not able to upload party content using trunk ecommerce

Posted by Jacques Le Roux on Apr 15, 2021; 3:48pm
URL: http://ofbiz.116.s1.nabble.com/Not-able-to-upload-party-content-using-trunk-ecommerce-tp4767940p4767963.html

Hi,

This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be used in
content.upload.path.prefix as the comment in content properties says).

This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or
AAAAJPJ1.png) then it can't work as the message says:

<< For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only
Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>>

This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the trunk
trunk demo is on Ubuntu.

I'll check that and will get back to you

Thanks for reporting

Jacques

Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit :

> Hi Guys,
> Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main
> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using profile page of DemoCustomer user try to upload attached file
> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
>
> Step 1: go-to the e-commerce website login as DemoCustomer
> Step 2: go-to profile page find party content uploaded / File Manager
> step 3: add/browse a file
> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>
>
> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>
> For instance, do you use an URL?
>
> Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
> > Hi Shrilesh,
> >
> > It works for me with files named GCS_009.jpg and GCS_004.jpeg
> >
> > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one?
> >
> > Jacques
> >
> > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
> >> Hi Jacques,
> >>
> >> Step 1: go-to the e-commerce website login as DemoCustomer
> >> Step 2: go-to profile page find party content uploaded / File Manager
> >> step 3: add/browse a file
> >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
> >>
> >> you will get the same error
> >> the file is getting uploaded but at the end of
> >> *DataServices.groovy
> >> ---> def attachUploadToDataResource()
> >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
> >> ---> result = run service: "createAnonFile", with: fileCtx
> >> ---> createFileNoPerm
> >> ---> createFileMethod(dctx, context);
> >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))
> >> ---> return ServiceUtil.returnError(errorMessage);*
> >> Due to the issue I talked above
> >>
> >> I also uploaded that file which I'm using to upload on party content uploaded
> >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
> >> And ScreenShots of the demo website and I also tried locally
> >>
> >> Regards,
> >> Shrilesh K.
> >>
> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>
> <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
> >>
> >>     Hi Shrilesh,
> >>
> >>     In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed...
> >>
> >>     Jacques
> >>
> >>     Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
> >>     > Hi Guys,
> >>     >
> >>     > While performing testing of
> >>     > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>
> <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while
> >>     > back, I have noticed that if I try uploading a file it now fails for
> >>     > different reasons as the file name is being considered invalid
> >>     >
> >>     > At first glance, it looks like due to fixes introduced recently due to
> >>     > below issues
> >>     > 1. Secure the uploads (OFBIZ-12080)
> >>     > 2. addImageForProduct fails (OFBIZ-12211)
> >>     >
> >>     > Of course, it could be bypassed for now by setting property
> >>     > *allowAllUploads=true
> >>     > *security.properties.
> >>     >
> >>     > However, was wondering if the below code block from class
> >>     > *SecuredUpload.java* should have allowed URLs that also contain
> >>     > *content.upload.path.prefix* value? same as what is being done for product
> >>     > image URLs.
> >>     >
> >>     >
> >>     >
> >>     > if (fileToCheck.length() > 4096) {
> >>     > Debug.logError("Uploaded file name too long", MODULE);
> >>     > return false;
> >>     > *} else if (p.toString().contains(imageServerUrl)) {*
> >>     > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
> >>     > ]{1,10}")) { // "(" and ")" for duplicates files
> >>     > wrongFile = false;
> >>     > } else if (!file.matches("[a-zA-Z0-9-_
> >>     > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
> >>     > wrongFile = false;
> >>     > }
> >>     > }
> >>     >
> >>     > Let me know what the thoughts are and if need be happy to raise an issue so
> >>     > that it could be tracked
> >>     >
> >>     >
> >>     > Regards,
> >>     > Shrilesh K.
> >>
>