> Hi,
>
> This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be used in
> content.upload.path.prefix as the comment in content properties says).
>
> This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or
> AAAAJPJ1.png) then it can't work as the message says:
>
>   << For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only
>   Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>>
>
> This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the
> trunk trunk demo is on Ubuntu.
>
> I'll check that and will get back to you
>
> Thanks for reporting
>
> Jacques
>
> Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit :
>> Hi Guys,
>> Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main 
>> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using profile page of DemoCustomer user try to upload attached file
>> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
>>
>> Step 1: go-to the e-commerce website login as DemoCustomer
>> Step 2: go-to profile page find party content uploaded / File Manager
>> step 3: add/browse a file
>> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>>
>>
>> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>     For instance, do you use an URL?
>>
>>     Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
>>     > Hi Shrilesh,
>>     >
>>     > It works for me with files named GCS_009.jpg and GCS_004.jpeg
>>     >
>>     > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one?
>>     >
>>     > Jacques
>>     >
>>     > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
>>     >> Hi Jacques,
>>     >>
>>     >> Step 1: go-to the e-commerce website login as DemoCustomer
>>     >> Step 2: go-to profile page find party content uploaded / File Manager
>>     >> step 3: add/browse a file
>>     >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>>     >>
>>     >> you will get the same error
>>     >> the file is getting uploaded but at the end of
>>     >> *DataServices.groovy
>>     >> ---> def attachUploadToDataResource()
>>     >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
>>     >> ---> result = run service: "createAnonFile", with: fileCtx
>>     >> ---> createFileNoPerm
>>     >> ---> createFileMethod(dctx, context);
>>     >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))
>>     >> ---> return ServiceUtil.returnError(errorMessage);*
>>     >> Due to the issue I talked above
>>     >>
>>     >> I also uploaded that file which I'm using to upload on party content uploaded
>>     >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
>>     >> And ScreenShots of the demo website and I also tried locally
>>     >>
>>     >> Regards,
>>     >> Shrilesh K.
>>     >>
>>     >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>>     >>
>>     >>     Hi Shrilesh,
>>     >>
>>     >>     In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed...
>>     >>
>>     >>     Jacques
>>     >>
>>     >>     Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
>>     >>     > Hi Guys,
>>     >>     >
>>     >>     > While performing testing of
>>     >>     > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>
>>     <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while
>>     >>     > back, I have noticed that if I try uploading a file it now fails for
>>     >>     > different reasons as the file name is being considered invalid
>>     >>     >
>>     >>     > At first glance, it looks like due to fixes introduced recently due to
>>     >>     > below issues
>>     >>     > 1. Secure the uploads (OFBIZ-12080)
>>     >>     > 2. addImageForProduct fails (OFBIZ-12211)
>>     >>     >
>>     >>     > Of course, it could be bypassed for now by setting property
>>     >>     > *allowAllUploads=true
>>     >>     > *security.properties.
>>     >>     >
>>     >>     > However, was wondering if the below code block from class
>>     >>     > *SecuredUpload.java* should have allowed URLs that also contain
>>     >>     > *content.upload.path.prefix* value? same as what is being done for product
>>     >>     > image URLs.
>>     >>     >
>>     >>     >
>>     >>     >
>>     >>     > if (fileToCheck.length() > 4096) {
>>     >>     >                  Debug.logError("Uploaded file name too long", MODULE);
>>     >>     >                  return false;
>>     >>     >              *} else if (p.toString().contains(imageServerUrl)) {*
>>     >>     >                  if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
>>     >>     > ]{1,10}")) { // "(" and ")" for duplicates files
>>     >>     >                      wrongFile = false;
>>     >>     >                  } else if (!file.matches("[a-zA-Z0-9-_
>>     >>     > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>>     >>     >                      wrongFile = false;
>>     >>     >                  }
>>     >>     >              }
>>     >>     >
>>     >>     > Let me know what the thoughts are and if need be happy to raise an issue so
>>     >>     > that it could be tracked
>>     >>     >
>>     >>     >
>>     >>     > Regards,
>>     >>     > Shrilesh K.
>>     >>
>>