Fixed: Upload image size issue (OFBIZ-12639)

SecuredUpload::checkMaxLinesLength does not work when the charset used to create the file is not the same than the one used when uploading. It's a know problem. This at least allow images to be uploaded. I'll check if we can improve the call in SecuredUpload::checkMaxLinesLength to FileUtils.readLines() (Apachecommons.io) according to http://illegalargumentexception.blogspot.com/2009/05/java-rough-guide-to-character-encoding.html#javaencoding_autodetect See https://lists.apache.org/thread/dv4yjpknms5zd2l73wb8ht3s0db2wx2v for details Conflict handled by hand, also adds from trunk "handling" of msoffice files
apache · Sep 10, 2024 · 81fd7c7 · 81fd7c7
1 parent 74605c4
commit 81fd7c7
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -207,7 +207,13 @@ public static boolean isValidFile(String fileToCheck, String fileType, Delegator
  // PDF files are not concerned because they may contain several CharSet encodings
  // hence no possibility to use Files::readAllLines that needs a sole CharSet
  if (!isPdfFile(fileToCheck)) {
- if (!checkMaxLinesLength(fileToCheck)) {
+ if (getMimeTypeFromFileName(fileToCheck).equals("application/x-tika-msoffice")) {
+ Debug.logError("File : " + fileToCheck + ", is a MS Office file."
+ + " It can't be uploaded for security reason. Try to transform a Word file to PDF, "
+ + "and an Excel file to CSV. For other file types try PDF.", MODULE);
+ return false;
+ }
+ if (!isValidImageIncludingSvgFile(fileToCheck) && !checkMaxLinesLength(fileToCheck)) {
  Debug.logError("For security reason lines over " + MAXLINELENGTH.toString() + " are not allowed", MODULE);
  return false;
  }