Details

    • Type: Bug Bug
    • Status: Closed
    • Resolution: No Longer Reproducible
    • Affects Version/s: 6.0.5 GA
    • Fix Version/s: None
    • Labels:
      None
    • Branch Version/s:
      6.0.x
    • Similar Issues:
      Show 5 results 

      Description

      We don't properly validate file titles in the document library in 6EE. Here is the flow:

      Enter the classic uploader, upload any supported file. In the TITLE, put "My file"

      Hit save. You will get a file extension error. Here is why:

      DLFileEntryLocalServiceUtil.addFile() calls:

      // File entry

      User user = userPersistence.findByPrimaryKey(userId);
      folderId = getFolderId(user.getCompanyId(), folderId);

      String extension = FileUtil.getExtension(name);
      // AT THIS POINT TITLE IS "my file" and NAME is "whatever.txt"
      if (Validator.isNull(title))

      { title = name; }

      name = String.valueOf(
      counterLocalService.increment(DLFileEntry.class.getName()));

      // NOW NAME IS 456789 and TITLE is "my file"

      Date now = new Date();

      // ABOUT TO VALIDATE THE TITLE AS "my file"

      validate(groupId, folderId, title, is);

      --> That call goes to -->

      public void validate(
      String fileName, boolean validateFileExtension, InputStream is)
      throws PortalException, SystemException {

      validate(fileName, validateFileExtension);

      // LEP-4851

      try {
      if ((PrefsPropsUtil.getLong(PropsKeys.DL_FILE_MAX_SIZE) > 0) &&
      ((is == null) ||
      (is.available() >
      PrefsPropsUtil.getLong(PropsKeys.DL_FILE_MAX_SIZE))))

      { throw new FileSizeException(fileName); }

      }
      catch (IOException ioe)

      { throw new FileSizeException(ioe.getMessage()); }

      }

      so it's passing the fileName as "my file" and it's validating the file extension (boolean true)

      -->

      public void validate(String fileName, boolean validateFileExtension)
      throws PortalException, SystemException {

      if ((fileName.indexOf("\\\\") != -1) ||
      (fileName.indexOf("//") != -1) ||
      (fileName.indexOf(":") != -1) ||
      (fileName.indexOf("*") != -1) ||
      (fileName.indexOf("?") != -1) ||
      (fileName.indexOf("\"") != -1) ||
      (fileName.indexOf("<") != -1) ||
      (fileName.indexOf(">") != -1) ||
      (fileName.indexOf("|") != -1) ||
      (fileName.indexOf("[") != -1) ||
      (fileName.indexOf("]") != -1) ||
      (fileName.indexOf("'") != -1) ||
      (fileName.indexOf("..
      ") != -1) ||
      (fileName.indexOf("../") != -1) ||
      (fileName.indexOf("
      ..") != -1) ||
      (fileName.indexOf("/..") != -1))

      { throw new FileNameException(fileName); }

      if (validateFileExtension) {
      boolean validFileExtension = false;

      String[] fileExtensions = PrefsPropsUtil.getStringArray(
      PropsKeys.DL_FILE_EXTENSIONS, StringPool.COMMA);

      for (int i = 0; i < fileExtensions.length; i++) {
      if (StringPool.STAR.equals(fileExtensions[i]) ||
      StringUtil.endsWith(fileName, fileExtensions[i]))

      { validFileExtension = true; break; }

      }

      if (!validFileExtension)

      { throw new FileNameException(fileName); }

      }
      }

      It now sees "my file" isn't a valid filename, and dies.

        Activity

        Hide
        Michael Han added a comment -

        Already resolved...

        Show
        Michael Han added a comment - Already resolved...

          People

          • Assignee:
            Michael Han
            Reporter:
            Brett Swaim
            Recent user:
            Randy Zhu
            Participants of an Issue:
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              4 years, 31 weeks, 6 days ago

              Development

                Structure Helper Panel