This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 857f85ffa3 Fixed: Secure the uploads (OFBIZ-12080)
857f85ffa3 is described below
commit 857f85ffa37f9bf761f61ba58626fbe8ac2e8a60
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Dec 6 10:34:11 2024 +0100
Fixed: Secure the uploads (OFBIZ-12080)
For the same reason I explained to Danny trunk, this renames
upload_file_type
to up_load_file_type
# Conflicts handled by
EditCategory.groovy
EditProductConfigItemContent.groovy
ImageUpload.groovy
EditProductContent.groovy
EditProductConfigItemContent.ftl
---
.../groovyScripts/catalog/category/EditCategory.groovy | 2 +-
.../catalog/config/EditProductConfigItemContent.groovy | 2 +-
.../groovyScripts/catalog/imagemanagement/ImageUpload.groovy | 2 +-
.../groovyScripts/catalog/product/EditProductContent.groovy | 2 +-
applications/product/template/category/EditCategory.ftl | 8 ++++----
.../product/template/config/EditProductConfigItemContent.ftl | 4 ++--
applications/product/template/product/EditProductContent.ftl | 12 ++++++------
7 files changed, 16 insertions(+), 16 deletions(-)
diff --git
a/applications/product/groovyScripts/catalog/category/EditCategory.groovy
b/applications/product/groovyScripts/catalog/category/EditCategory.groovy
index f186a9a3e3..6de271c9dc 100644
--- a/applications/product/groovyScripts/catalog/category/EditCategory.groovy
+++ b/applications/product/groovyScripts/catalog/category/EditCategory.groovy
@@ -58,7 +58,7 @@ context.imageNameLinkTwo = imageUrlPrefix + "/" +
filenameExpander.expandString
forLock = new Object()
contentType = null
-fileType = request.getParameter("upload_file_type")
+fileType = request.getParameter('up_load_file_type')
if (fileType) {
context.fileType = fileType
diff --git
a/applications/product/groovyScripts/catalog/config/EditProductConfigItemContent.groovy
b/applications/product/groovyScripts/catalog/config/EditProductConfigItemContent.groovy
index 435d5165a6..449d3e15f8 100644
---
a/applications/product/groovyScripts/catalog/config/EditProductConfigItemContent.groovy
+++
b/applications/product/groovyScripts/catalog/config/EditProductConfigItemContent.groovy
@@ -70,7 +70,7 @@ context.tryEntity = tryEntity
forLock = new Object()
contentType = null
-fileType = request.getParameter("upload_file_type")
+fileType = request.getParameter('up_load_file_type')
if (fileType) {
context.fileType = fileType
diff --git
a/applications/product/groovyScripts/catalog/imagemanagement/ImageUpload.groovy
b/applications/product/groovyScripts/catalog/imagemanagement/ImageUpload.groovy
index 9b569b78ad..1f6bb3e1c8 100644
---
a/applications/product/groovyScripts/catalog/imagemanagement/ImageUpload.groovy
+++
b/applications/product/groovyScripts/catalog/imagemanagement/ImageUpload.groovy
@@ -70,7 +70,7 @@ context.tryEntity = tryEntity
// UPLOADING STUFF
forLock = new Object()
contentType = null
-String fileType = request.getParameter("upload_file_type")
+String fileType = request.getParameter('up_load_file_type')
if (fileType) {
context.fileType = fileType
diff --git
a/applications/product/groovyScripts/catalog/product/EditProductContent.groovy
b/applications/product/groovyScripts/catalog/product/EditProductContent.groovy
index 5ea60f2c7c..202eb1e945 100644
---
a/applications/product/groovyScripts/catalog/product/EditProductContent.groovy
+++
b/applications/product/groovyScripts/catalog/product/EditProductContent.groovy
@@ -68,7 +68,7 @@ context.tryEntity = tryEntity
// UPLOADING STUFF
forLock = new Object()
contentType = null
-String fileType = request.getParameter("upload_file_type")
+String fileType = request.getParameter('up_load_file_type')
if (fileType) {
context.fileType = fileType
diff --git a/applications/product/template/category/EditCategory.ftl
b/applications/product/template/category/EditCategory.ftl
index f45fb7feee..89850f0cf5 100644
--- a/applications/product/template/category/EditCategory.ftl
+++ b/applications/product/template/category/EditCategory.ftl
@@ -213,15 +213,15 @@ function insertImageName(type,nameValue) {
<h3>${uiLabelMap.ProductCategoryUploadImage}</h3>
</div>
<div class="screenlet-body">
- <form method="post" enctype="multipart/form-data"
action="<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId!}&upload_file_type=category</@ofbizUrl>"
name="imageUploadForm">
+ <form method="post" enctype="multipart/form-data"
action="<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId!}&up_load_file_type=category</@ofbizUrl>"
name="imageUploadForm">
<table cellspacing="0" class="basic-table">
<tr><td>
<input type="file" size="50" name="fname"/>
<br />
<span>
- <label><input type="radio"
name="up_load_file_type_bogus" value="category" checked="checked"
onclick='setUploadUrl("<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId}&upload_file_type=category</@ofbizUrl>");'/>${uiLabelMap.ProductCategoryImageUrl}</label>
- <label><input type="radio"
name="up_load_file_type_bogus" value="linkOne"
onclick='setUploadUrl("<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId}&upload_file_type=linkOne</@ofbizUrl>");'/>${uiLabelMap.ProductLinkOneImageUrl}</label>
- <label><input type="radio"
name="up_load_file_type_bogus"
value="linkTwo"onclick='setUploadUrl("<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId}&upload_file_type=linkTwo</@ofbizUrl>");'/>${uiLabelMap.ProductLinkTwoImageUrl}</label>
+ <label><input type="radio"
name="up_load_file_type_bogus" value="category" checked="checked"
onclick='setUploadUrl("<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId}&up_load_file_type=category</@ofbizUrl>");'/>${uiLabelMap.ProductCategoryImageUrl}</label>
+ <label><input type="radio"
name="up_load_file_type_bogus" value="linkOne"
onclick='setUploadUrl("<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId}&up_load_file_type=linkOne</@ofbizUrl>");'/>${uiLabelMap.ProductLinkOneImageUrl}</label>
+ <label><input type="radio"
name="up_load_file_type_bogus"
value="linkTwo"onclick='setUploadUrl("<@ofbizUrl>UploadCategoryImage?productCategoryId=${productCategoryId}&up_load_file_type=linkTwo</@ofbizUrl>");'/>${uiLabelMap.ProductLinkTwoImageUrl}</label>
</span>
<input type="submit" class="smallSubmit"
value="${uiLabelMap.ProductUploadImage}"/>
</td></tr>
diff --git
a/applications/product/template/config/EditProductConfigItemContent.ftl
b/applications/product/template/config/EditProductConfigItemContent.ftl
index cd01bbc9e7..7952bfd2e6 100644
--- a/applications/product/template/config/EditProductConfigItemContent.ftl
+++ b/applications/product/template/config/EditProductConfigItemContent.ftl
@@ -152,8 +152,8 @@ function insertImageName(size,nameValue) {
<h3>${uiLabelMap.ProductUploadImage}</h3>
</div>
<div class="screenlet-body">
- <form method="post" enctype="multipart/form-data"
action="<@ofbizUrl>UploadProductConfigItemImage?configItemId=${configItemId}&upload_file_type=small</@ofbizUrl>"
name="imageUploadForm">
- <input type="file" size="50" name="fname" />
+ <form method="post" enctype="multipart/form-data"
action="<@ofbizUrl>UploadProductConfigItemImage?configItemId=${configItemId}&up_load_file_type=small</@ofbizUrl>"
name="imageUploadForm">
+ <input type="file" size="50" name="fname"
accept=".png,.gif,.jpg,.jpeg,.tiff,.tif"/>
<input type="submit" class="smallSubmit"
value="${uiLabelMap.ProductUploadImage}" />
</form>
</div>
diff --git a/applications/product/template/product/EditProductContent.ftl
b/applications/product/template/product/EditProductContent.ftl
index 7fafff9785..e107575b67 100644
--- a/applications/product/template/product/EditProductContent.ftl
+++ b/applications/product/template/product/EditProductContent.ftl
@@ -184,7 +184,7 @@ under the License.
};
</script>
<h3>${uiLabelMap.ProductUploadImage}</h3>
- <form method="post" enctype="multipart/form-data"
action="<@ofbizUrl>UploadProductImage?productId=${productId}&upload_file_type=original</@ofbizUrl>"
name="imageUploadForm">
+ <form method="post" enctype="multipart/form-data"
action="<@ofbizUrl>UploadProductImage?productId=${productId}&up_load_file_type=original</@ofbizUrl>"
name="imageUploadForm">
<table cellspacing="0" class="basic-table">
<tr>
<td width="20%" align="right" valign="top">
@@ -192,11 +192,11 @@ under the License.
</td>
<td> </td>
<td width="80%" colspan="4" valign="top">
- <label><input type="radio" name="up_load_file_type_bogus"
value="small"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&upload_file_type=small</@ofbizUrl>");'/>${uiLabelMap.CommonSmall}</label>
- <label><input type="radio" name="up_load_file_type_bogus"
value="medium"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&upload_file_type=medium</@ofbizUrl>");'/>${uiLabelMap.CommonMedium}</label>
- <label><input type="radio" name="up_load_file_type_bogus"
value="large"onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&upload_file_type=large</@ofbizUrl>");'/>${uiLabelMap.CommonLarge}</label>
- <label><input type="radio" name="up_load_file_type_bogus"
value="detail"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&upload_file_type=detail</@ofbizUrl>");'/>${uiLabelMap.CommonDetail}</label>
- <label><input type="radio" name="up_load_file_type_bogus"
value="original" checked="checked"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&upload_file_type=original</@ofbizUrl>");'/>${uiLabelMap.ProductOriginal}</label>
+ <label><input type="radio" name="up_load_file_type_bogus"
value="small"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&up_load_file_type=small</@ofbizUrl>");'/>${uiLabelMap.CommonSmall}</label>
+ <label><input type="radio" name="up_load_file_type_bogus"
value="medium"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&up_load_file_type=medium</@ofbizUrl>");'/>${uiLabelMap.CommonMedium}</label>
+ <label><input type="radio" name="up_load_file_type_bogus"
value="large"onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&up_load_file_type=large</@ofbizUrl>");'/>${uiLabelMap.CommonLarge}</label>
+ <label><input type="radio" name="up_load_file_type_bogus"
value="detail"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&up_load_file_type=detail</@ofbizUrl>");'/>${uiLabelMap.CommonDetail}</label>
+ <label><input type="radio" name="up_load_file_type_bogus"
value="original" checked="checked"
onclick='setUploadUrl("<@ofbizUrl>UploadProductImage?productId=${productId}&up_load_file_type=original</@ofbizUrl>");'/>${uiLabelMap.ProductOriginal}</label>
<input type="submit" class="smallSubmit"
value="${uiLabelMap.ProductUploadImage}"/>
</td>
</tr>
