(ofbiz-framework) branch release18.12 updated: Fixed: Upload image size issue (OFBIZ-12639)

Tue, 10 Sep 2024 01:40:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 81fd7c74c2 Fixed: Upload image size issue (OFBIZ-12639)
81fd7c74c2 is described below

commit 81fd7c74c2d5465ee789191c2de06bb0818dd776
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Sep 10 09:10:39 2024 +0200

    Fixed: Upload image size issue (OFBIZ-12639)
    
    SecuredUpload::checkMaxLinesLength does not work when the charset used to 
create
    the file is not the same than the one used when uploading. It's a know 
problem.
    
    This at least allow images to be uploaded.
    
    I'll check if we can improve the call in SecuredUpload::checkMaxLinesLength 
to
    FileUtils.readLines() (Apachecommons.io) according to
    
http://illegalargumentexception.blogspot.com/2009/05/java-rough-guide-to-character-encoding.html#javaencoding_autodetect
    
    See https://lists.apache.org/thread/dv4yjpknms5zd2l73wb8ht3s0db2wx2v for 
details
    
    Conflict handled by hand, also adds from trunk "handling" of msoffice files
---
 .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java    | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index f6e17b871a..a2d5e8f0e7 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -207,7 +207,13 @@ public class SecuredUpload {
         // PDF files are not concerned because they may contain several 
CharSet encodings
         // hence no possibility to use Files::readAllLines that needs a sole 
CharSet
         if (!isPdfFile(fileToCheck)) {
-            if (!checkMaxLinesLength(fileToCheck)) {
+            if 
(getMimeTypeFromFileName(fileToCheck).equals("application/x-tika-msoffice")) {
+                Debug.logError("File : " + fileToCheck + ", is a MS Office 
file."
+                        + " It can't be uploaded for security reason. Try to 
transform a Word file to PDF, "
+                        + "and an Excel file to CSV. For other file types try 
PDF.", MODULE);
+                return false;
+            }
+            if (!isValidImageIncludingSvgFile(fileToCheck) && 
!checkMaxLinesLength(fileToCheck)) {
                 Debug.logError("For security reason lines over " + 
MAXLINELENGTH.toString() + " are not allowed", MODULE);
                 return false;
             }

Reply via email to