Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: No Longer Reproducible
    • Affects Version/s: 6.0.5 GA
    • Fix Version/s: None
    • Component/s: DM
    • Labels:
      None
    • Branch Version/s:
      6.0.x

      Description

      We don't properly validate file titles in the document library in 6EE. Here is the flow:

      Enter the classic uploader, upload any supported file. In the TITLE, put "My file"

      Hit save. You will get a file extension error. Here is why:

      DLFileEntryLocalServiceUtil.addFile() calls:

      // File entry

      User user = userPersistence.findByPrimaryKey(userId);
      folderId = getFolderId(user.getCompanyId(), folderId);

      String extension = FileUtil.getExtension(name);
      // AT THIS POINT TITLE IS "my file" and NAME is "whatever.txt"
      if (Validator.isNull(title))

      { title = name; }

      name = String.valueOf(
      counterLocalService.increment(DLFileEntry.class.getName()));

      // NOW NAME IS 456789 and TITLE is "my file"

      Date now = new Date();

      // ABOUT TO VALIDATE THE TITLE AS "my file"

      validate(groupId, folderId, title, is);

      --> That call goes to -->

      public void validate(
      String fileName, boolean validateFileExtension, InputStream is)
      throws PortalException, SystemException {

      validate(fileName, validateFileExtension);

      // LEP-4851

      try {
      if ((PrefsPropsUtil.getLong(PropsKeys.DL_FILE_MAX_SIZE) > 0) &&
      ((is == null) ||
      (is.available() >
      PrefsPropsUtil.getLong(PropsKeys.DL_FILE_MAX_SIZE))))

      { throw new FileSizeException(fileName); }

      }
      catch (IOException ioe)

      { throw new FileSizeException(ioe.getMessage()); }

      }

      so it's passing the fileName as "my file" and it's validating the file extension (boolean true)

      -->

      public void validate(String fileName, boolean validateFileExtension)
      throws PortalException, SystemException {

      if ((fileName.indexOf("\\\\") != -1) ||
      (fileName.indexOf("//") != -1) ||
      (fileName.indexOf(":") != -1) ||
      (fileName.indexOf("*") != -1) ||
      (fileName.indexOf("?") != -1) ||
      (fileName.indexOf("\"") != -1) ||
      (fileName.indexOf("<") != -1) ||
      (fileName.indexOf(">") != -1) ||
      (fileName.indexOf("|") != -1) ||
      (fileName.indexOf("[") != -1) ||
      (fileName.indexOf("]") != -1) ||
      (fileName.indexOf("'") != -1) ||
      (fileName.indexOf("..
      ") != -1) ||
      (fileName.indexOf("../") != -1) ||
      (fileName.indexOf("
      ..") != -1) ||
      (fileName.indexOf("/..") != -1))

      { throw new FileNameException(fileName); }

      if (validateFileExtension) {
      boolean validFileExtension = false;

      String[] fileExtensions = PrefsPropsUtil.getStringArray(
      PropsKeys.DL_FILE_EXTENSIONS, StringPool.COMMA);

      for (int i = 0; i < fileExtensions.length; i++) {
      if (StringPool.STAR.equals(fileExtensions[i]) ||
      StringUtil.endsWith(fileName, fileExtensions[i]))

      { validFileExtension = true; break; }

      }

      if (!validFileExtension)

      { throw new FileNameException(fileName); }

      }
      }

      It now sees "my file" isn't a valid filename, and dies.

        Attachments

          Activity

            People

            • Assignee:
              michael.han Michael Han
              Reporter:
              brett.swaim Brett Swaim
              Participants of an Issue:
              Recent user:
              Esther Sanz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 2 days ago