> Hi Jacques,
>
> Thank You for the patch, it's working now
>
> Regards,
> Shrilesh K.
>
> On Thu, Apr 15, 2021 at 10:34 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi Shrilesh,
>
>     I found the issue. I have attached a patch at https://issues.apache.org/jira/browse/OFBIZ-12080 <https://issues.apache.org/jira/browse/OFBIZ-12080>
>
>     Please test on your side after applying the patch and confirm it's OK with you
>
>     TIA
>
>     Jacques
>
>     Le 15/04/2021 à 17:48, Jacques Le Roux a écrit :
>     > Hi,
>     >
>     > This was not my question. I wanted to know if you set a value to content.upload.path.prefix, if yes which one, maybe an URL (should not be
>     used in
>     > content.upload.path.prefix as the comment in content properties says).
>     >
>     > This mailing list does not accept attachments, but anyway if your file name is "AAAAJPJ1.JPEG,AAAAJPJ1.png" (not 2 files AAAAJPJ1.JPEG or
>     > AAAAJPJ1.png) then it can't work as the message says:
>     >
>     >   << For security reason only valid files of supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe names (only
>     >   Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and extension not empty) and contents are accepted.>>
>     >
>     > This said, I have tried locally and it works for AAAAJPJ1.JPEG but weirdly not on trunk demo indeed. I guess it's because I use Windows and the
>     > trunk trunk demo is on Ubuntu.
>     >
>     > I'll check that and will get back to you
>     >
>     > Thanks for reporting
>     >
>     > Jacques
>     >
>     > Le 15/04/2021 à 14:47, Shrilesh Korgaonkar a écrit :
>     >> Hi Guys,
>     >> Just say.. please use this URL https://demo-trunk.ofbiz.apache.org/ecommerce/control/main
>     <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>
>     >> <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main <https://demo-trunk.ofbiz.apache.org/ecommerce/control/main>>, using profile page
>     of DemoCustomer user try to upload attached file
>     >> (AAAAJPJ1.JPEG,AAAAJPJ1.png) or any
>     >>
>     >> Step 1: go-to the e-commerce website login as DemoCustomer
>     >> Step 2: go-to profile page find party content uploaded / File Manager
>     >> step 3: add/browse a file
>     >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>     >>
>     >>
>     >> On Thu, Apr 15, 2021 at 4:08 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >>
>     >>     For instance, do you use an URL?
>     >>
>     >>     Le 15/04/2021 à 11:20, Jacques Le Roux a écrit :
>     >>     > Hi Shrilesh,
>     >>     >
>     >>     > It works for me with files named GCS_009.jpg and GCS_004.jpeg
>     >>     >
>     >>     > You mentioned content.upload.path.prefix. Did you set a value there and if yes which one?
>     >>     >
>     >>     > Jacques
>     >>     >
>     >>     > Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
>     >>     >> Hi Jacques,
>     >>     >>
>     >>     >> Step 1: go-to the e-commerce website login as DemoCustomer
>     >>     >> Step 2: go-to profile page find party content uploaded / File Manager
>     >>     >> step 3: add/browse a file
>     >>     >> step 4: Select Purpose - Internal Content/User Defined Content and click to upload
>     >>     >>
>     >>     >> you will get the same error
>     >>     >> the file is getting uploaded but at the end of
>     >>     >> *DataServices.groovy
>     >>     >> ---> def attachUploadToDataResource()
>     >>     >> ---> return saveLocalFileDataResource(parameters.dataResourceTypeId)
>     >>     >> ---> result = run service: "createAnonFile", with: fileCtx
>     >>     >> ---> createFileNoPerm
>     >>     >> ---> createFileMethod(dctx, context);
>     >>     >> ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator))
>     >>     >> ---> return ServiceUtil.returnError(errorMessage);*
>     >>     >> Due to the issue I talked above
>     >>     >>
>     >>     >> I also uploaded that file which I'm using to upload on party content uploaded
>     >>     >> name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png)
>     >>     >> And ScreenShots of the demo website and I also tried locally
>     >>     >>
>     >>     >> Regards,
>     >>     >> Shrilesh K.
>     >>     >>
>     >>     >> On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >>     <mailto:[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >>     >>
>     >>     >>     Hi Shrilesh,
>     >>     >>
>     >>     >>     In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix
>     indeed...
>     >>     >>
>     >>     >>     Jacques
>     >>     >>
>     >>     >>     Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit :
>     >>     >>     > Hi Guys,
>     >>     >>     >
>     >>     >>     > While performing testing of
>     >>     >>     > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>
>     <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>>
>     >>     <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>
>     <https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746>>> issue reported a while
>     >>     >>     > back, I have noticed that if I try uploading a file it now fails for
>     >>     >>     > different reasons as the file name is being considered invalid
>     >>     >>     >
>     >>     >>     > At first glance, it looks like due to fixes introduced recently due to
>     >>     >>     > below issues
>     >>     >>     > 1. Secure the uploads (OFBIZ-12080)
>     >>     >>     > 2. addImageForProduct fails (OFBIZ-12211)
>     >>     >>     >
>     >>     >>     > Of course, it could be bypassed for now by setting property
>     >>     >>     > *allowAllUploads=true
>     >>     >>     > *security.properties.
>     >>     >>     >
>     >>     >>     > However, was wondering if the below code block from class
>     >>     >>     > *SecuredUpload.java* should have allowed URLs that also contain
>     >>     >>     > *content.upload.path.prefix* value? same as what is being done for product
>     >>     >>     > image URLs.
>     >>     >>     >
>     >>     >>     >
>     >>     >>     >
>     >>     >>     > if (fileToCheck.length() > 4096) {
>     >>     >>     > Debug.logError("Uploaded file name too long", MODULE);
>     >>     >>     >                  return false;
>     >>     >>     >              *} else if (p.toString().contains(imageServerUrl)) {*
>     >>     >>     >                  if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_
>     >>     >>     > ]{1,10}")) { // "(" and ")" for duplicates files
>     >>     >>     >                      wrongFile = false;
>     >>     >>     >                  } else if (!file.matches("[a-zA-Z0-9-_
>     >>     >>     > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
>     >>     >>     >                      wrongFile = false;
>     >>     >>     >                  }
>     >>     >>     >              }
>     >>     >>     >
>     >>     >>     > Let me know what the thoughts are and if need be happy to raise an issue so
>     >>     >>     > that it could be tracked
>     >>     >>     >
>     >>     >>     >
>     >>     >>     > Regards,
>     >>     >>     > Shrilesh K.
>     >>     >>
>     >>
>