Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-13192

Issues when uploading SVG files

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 18.12.17, 24.09.01
    • 24.09.01, 18.12.18
    • content, party
    • None
    • Bug Crush Event - 21/2/2015

    Description

      SVG files can only be uploaded when the "All" type is used. That's only done inside the Content component. This component can also be used by other component, like Party for instance.

      There are some issues when uploading SVG files.

      • When the All type is used and a SVG file is uploaded, the checking type order places the CSV file before the SVG file type. In some cases this error arises:

        java.io.IOException: (line 8) invalid char between encapsulated token and delimiter

      • Most often they are minified. Then, apart very small ones, they contains long lines, at least longer than 10000 default.
      • They almost all contain the word "class". Once you remove it from deniedWebShellTokens in security.properties the files pass and are uploaded w/o modification. They can also contain token like "javascript", etc.

      Attachments

        Issue Links

          relates to

          Sub-task - The sub-task of the issue OFBIZ-12080 Secure the uploads

          • Major - Major loss of function.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              jleroux Jacques Le Roux
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: