Re: Not able to upload party content using trunk ecommerce
Posted by
Shrilesh Korgaonkar on
Apr 16, 2021; 6:25am
URL: http://ofbiz.116.s1.nabble.com/Not-able-to-upload-party-content-using-trunk-ecommerce-tp4767940p4767976.html
Hi Jacques,
Thank You for the patch, it's working now
On Thu, Apr 15, 2021 at 10:34 PM Jacques Le Roux <
[hidden email]> wrote:
Hi Shrilesh,
I found the issue. I have attached a patch at https://issues.apache.org/jira/browse/OFBIZ-12080
Please test on your side after applying the patch and confirm it's OK with you
TIA
Jacques
Le 15/04/2021 à 17:48, Jacques Le Roux a écrit :
> Hi,
>
> This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be used in
> content.upload.path.prefix as the comment in content properties says).
>
> This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or
> AAAAJPJ1.png) then it can't work as the message says:
>
> << For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only
> Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>>
>
> This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the
> trunk trunk demo is on Ubuntu.
>
> I'll check that and will get back to you
>
> Thanks for reporting
>
> Jacques
>
> Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit :
>> Hi Guys,
>> Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main
>> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>, using profile page of DemoCustomer user try to upload attached file
>> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
>>
>> Step 1: go-to the e-commerce website login as DemoCustomer
>> Step 2: go-to profile page find party content uploaded / File Manager
>> step 3: add/browse a file
>> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>>
>>
>> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> For instance, do you use an URL?
>>
>> Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
>> > Hi Shrilesh,
>> >
>> > It works for me with files named GCS_009.jpg and GCS_004.jpeg
>> >
>> > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one?
>> >
>> > Jacques
>> >
>> > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
>> >> Hi Jacques,
>> >>
>> >> Step 1: go-to the e-commerce website login as DemoCustomer
>> >> Step 2: go-to profile page find party content uploaded / File Manager
>> >> step 3: add/browse a file
>> >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>> >>
>> >> you will get the same error
>> >> the file is getting uploaded but at the end of
>> >> *DataServices.groovy
>> >> ---> def attachUploadToDataResource()
>> >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
>> >> ---> result = run service: "createAnonFile", with: fileCtx
>> >> ---> createFileNoPerm
>> >> ---> createFileMethod(dctx, context);
>> >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))
>> >> ---> return ServiceUtil.returnError(errorMessage);*
>> >> Due to the issue I talked above
>> >>
>> >> I also uploaded that file which I'm using to upload on party content uploaded
>> >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
>> >> And ScreenShots of the demo website and I also tried locally
>> >>
>> >> Regards,
>> >> Shrilesh K.
>> >>
>> >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>
>> <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>> >>
>> >> Hi Shrilesh,
>> >>
>> >> In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed...
>> >>
>> >> Jacques
>> >>
>> >> Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
>> >> > Hi Guys,
>> >> >
>> >> > While performing testing of
>> >> > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>
>> <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>> issue reported a while
>> >> > back, I have noticed that if I try uploading a file it now fails for
>> >> > different reasons as the file name is being considered invalid
>> >> >
>> >> > At first glance, it looks like due to fixes introduced recently due to
>> >> > below issues
>> >> > 1. Secure the uploads (OFBIZ-12080)
>> >> > 2. addImageForProduct fails (OFBIZ-12211)
>> >> >
>> >> > Of course, it could be bypassed for now by setting property
>> >> > *allowAllUploads=true
>> >> > *security.properties.
>> >> >
>> >> > However, was wondering if the below code block from class
>> >> > *SecuredUpload.java* should have allowed URLs that also contain
>> >> > *content.upload.path.prefix* value? same as what is being done for product
>> >> > image URLs.
>> >> >
>> >> >
>> >> >
>> >> > if (fileToCheck.length() > 4096) {
>> >> > Debug.logError("Uploaded file name too long", MODULE);
>> >> > return false;
>> >> > *} else if (p.toString().contains(imageServerUrl)) {*
>> >> > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
>> >> > ]{1,10}")) { // "(" and ")" for duplicates files
>> >> > wrongFile = false;
>> >> > } else if (!file.matches("[a-zA-Z0-9-_
>> >> > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>> >> > wrongFile = false;
>> >> > }
>> >> > }
>> >> >
>> >> > Let me know what the thoughts are and if need be happy to raise an issue so
>> >> > that it could be tracked
>> >> >
>> >> >
>> >> > Regards,
>> >> > Shrilesh K.
>> >>
>>