(ofbiz-framework) branch trunk updated: Improved: SecuredUpload, impossible to upload a text file in the "All" case (OFBIZ-13139)

Thu, 12 Sep 2024 02:01:06 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 7c9164a24b Improved: SecuredUpload, impossible to upload a text file 
in the "All" case (OFBIZ-13139)
7c9164a24b is described below

commit 7c9164a24bc6ef3ecbbe99f06f19f4c6c97a1362
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Sep 12 10:58:55 2024 +0200

    Improved: SecuredUpload, impossible to upload a text file in the "All" case 
(OFBIZ-13139)
    
    Small change, it's better to call isPdfFile() inside isValidPdfFile()
---
 .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java     | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 1a276dc6b0..8e83b452bb 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -331,7 +331,7 @@ public class SecuredUpload {
                     || isValidCompressedFile(fileToCheck, delegator)
                     || isValidAudioFile(fileToCheck)
                     || isValidVideoFile(fileToCheck)
-                    || isPdfFile(fileToCheck) && isValidPdfFile(fileToCheck)
+                    || isValidPdfFile(fileToCheck)
                     || isValidCsvFile(fileToCheck)) {
                 return true;
             }
@@ -501,6 +501,7 @@ public class SecuredUpload {
             new PdfReader(file.getAbsolutePath()); // Just a check
             return true;
         } catch (Exception e) {
+            // If it's not a PDF then exception will be thrown and return will 
be false
             return false;
         }
     }
@@ -510,6 +511,9 @@ public class SecuredUpload {
      * @return true if it's a safe PDF file: is a PDF, and contains only 1 
embedded readable (valid and secure) XML file (zUGFeRD)
      */
     private static boolean isValidPdfFile(String fileName) {
+        if (!isPdfFile(fileName)) {
+            return false;
+        }
         File file = new File(fileName);
         boolean safeState = false;
         boolean canParseZUGFeRD = true;
@@ -518,7 +522,6 @@ public class SecuredUpload {
                 return safeState;
             }
             // Load stream in PDF parser
-            // If the stream is not a PDF then exception will be thrown and 
safe state will be set to FALSE
             PdfReader reader = new PdfReader(file.getAbsolutePath());
             // Check 1: detect if the document contains any JavaScript code
             String jsCode = reader.getJavaScript();

Reply via email to