Hi Shrilesh, It works for me with files named GCS_009.jpg and GCS_004.jpeg
You mentioned content.upload.path.prefix. Did you set a value there and if yes which one? Jacques Le 15/04/2021 à 10:07, Shrilesh Korgaonkar a écrit :
Hi Jacques, Step 1: go-to the e-commerce website login as DemoCustomer Step 2: go-to profile page find party content uploaded / File Manager step 3: add/browse a file step 4: Select Purpose - Internal Content/User Defined Content and click to upload you will get the same error the file is getting uploaded but at the end of *DataServices.groovy ---> def attachUploadToDataResource() ---> return saveLocalFileDataResource(parameters.dataResourceTypeId) ---> result = run service: "createAnonFile", with: fileCtx ---> createFileNoPerm ---> createFileMethod(dctx, context); ---> if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Text", delegator)) ---> return ServiceUtil.returnError(errorMessage);* Due to the issue I talked above I also uploaded that file which I'm using to upload on party content uploaded name of the file which I'm uploading (AAAAJPJ1.JPEG,AAAAJPJ1.png) And ScreenShots of the demo website and I also tried locally Regards, Shrilesh K. On Wed, Apr 14, 2021 at 11:06 PM Jacques Le Roux <jacques.le.r...@les7arts.com <mailto:jacques.le.r...@les7arts.com>> wrote: Hi Shrilesh, In which cases exactly the file names are rejected (length, name, etc.) ? We can also consider the content.upload.path.prefix indeed... Jacques Le 14/04/2021 à 17:24, Shrilesh Korgaonkar a écrit : > Hi Guys, > > While performing testing of > https://issues.apache.org/jira/browse/OFBIZ-10746 <https://issues.apache.org/jira/browse/OFBIZ-10746> issue reported a while > back, I have noticed that if I try uploading a file it now fails for > different reasons as the file name is being considered invalid > > At first glance, it looks like due to fixes introduced recently due to > below issues > 1. Secure the uploads (OFBIZ-12080) > 2. addImageForProduct fails (OFBIZ-12211) > > Of course, it could be bypassed for now by setting property > *allowAllUploads=true > *security.properties. > > However, was wondering if the below code block from class > *SecuredUpload.java* should have allowed URLs that also contain > *content.upload.path.prefix* value? same as what is being done for product > image URLs. > > > > if (fileToCheck.length() > 4096) { > Debug.logError("Uploaded file name too long", MODULE); > return false; > *} else if (p.toString().contains(imageServerUrl)) {* > if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ > ]{1,10}")) { // "(" and ")" for duplicates files > wrongFile = false; > } else if (!file.matches("[a-zA-Z0-9-_ > ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { > wrongFile = false; > } > } > > Let me know what the thoughts are and if need be happy to raise an issue so > that it could be tracked > > > Regards, > Shrilesh K.
