IDEMPIERE-3980 (#711)

* IDEMPIERE-3980

* IDEMPIERE-3980

Restrict uploading just to valid safe image file types

* IDEMPIERE-3980
This commit is contained in:
Carlos Ruiz 2021-06-08 16:42:47 +02:00 committed by GitHub
parent a4f67eb852
commit fa0b52abd6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 61 additions and 6 deletions

View File

@ -0,0 +1,11 @@
SET SQLBLANKLINES ON
SET DEFINE OFF
-- IDEMPIERE-3980
-- Jun 8, 2021, 4:32:50 PM CEST
INSERT INTO AD_Message (MsgType,MsgText,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,AD_Message_ID,Value,EntityType,AD_Message_UU) VALUES ('E','File not allowed for uploading, just image types jpg/png/gif/tiff/bmp/ico',0,0,'Y',TO_DATE('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,200711,'UploadImageTypeNotAllowed','D','7f3ed66b-6875-49e2-b45f-42ed9c7548e1')
;
SELECT register_migration_script('202106081633_IDEMPIERE-3980.sql') FROM dual
;

View File

@ -0,0 +1,8 @@
-- IDEMPIERE-3980
-- Jun 8, 2021, 4:32:50 PM CEST
INSERT INTO AD_Message (MsgType,MsgText,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,AD_Message_ID,Value,EntityType,AD_Message_UU) VALUES ('E','File not allowed for uploading, just image types jpg/png/gif/tiff/bmp/ico',0,0,'Y',TO_TIMESTAMP('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,200711,'UploadImageTypeNotAllowed','D','7f3ed66b-6875-49e2-b45f-42ed9c7548e1')
;
SELECT register_migration_script('202106081633_IDEMPIERE-3980.sql') FROM dual
;

View File

@ -17,8 +17,11 @@
package org.adempiere.webui.window;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import org.adempiere.exceptions.AdempiereException;
import org.adempiere.webui.AdempiereWebUI;
import org.adempiere.webui.ClientInfo;
import org.adempiere.webui.LayoutUtils;
@ -34,6 +37,7 @@ import org.apache.commons.codec.binary.Base64;
import org.compiere.model.MImage;
import org.compiere.util.CLogger;
import org.compiere.util.Env;
import org.compiere.util.MimeType;
import org.compiere.util.Msg;
import org.compiere.util.Util;
import org.zkoss.image.AImage;
@ -47,7 +51,7 @@ import org.zkoss.zul.Borderlayout;
import org.zkoss.zul.Center;
import org.zkoss.zul.Div;
import org.zkoss.zul.Hbox;
import org.zkoss.zul.Image;
import org.zkoss.zul.Iframe;
import org.zkoss.zul.North;
import org.zkoss.zul.Separator;
import org.zkoss.zul.South;
@ -97,6 +101,9 @@ public class WImageDialog extends Window implements EventListener<Event>
AImage aImage = new AImage(m_mImage.getName(), m_mImage.getData());
image.setContent(aImage);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
} catch (Exception e) {
log.log(Level.WARNING, "load image", e);
}
@ -117,7 +124,7 @@ public class WImageDialog extends Window implements EventListener<Event>
private Panel parameterPanel = new Panel();
private Button fileButton = new Button();
private Button captureButton = new Button();
private Image image = new Image();
private Iframe image = new Iframe();
private ConfirmPanel confirmPanel = new ConfirmPanel(true,false,true,false,false,false);
private boolean cancel = false;
private Textbox fileNameTextbox = new Textbox();
@ -125,7 +132,19 @@ public class WImageDialog extends Window implements EventListener<Event>
private Div captureDiv;
private String defaultNameForCaptureImage = "CapturedImage";
private Button cancelCaptureButton;
private static List<String> autoPreviewList;
static {
autoPreviewList = new ArrayList<String>();
autoPreviewList.add("image/jpeg");
autoPreviewList.add("image/png");
autoPreviewList.add("image/gif");
autoPreviewList.add("image/tiff");
autoPreviewList.add("image/bmp");
autoPreviewList.add("image/x-icon");
}
/**
* Static Init
* @throws Exception
@ -243,6 +262,9 @@ public class WImageDialog extends Window implements EventListener<Event>
{
AImage img = null;
image.setContent(img);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
fileNameTextbox.setValue(null);
}
else if (e.getTarget() == captureButton)
@ -270,6 +292,9 @@ public class WImageDialog extends Window implements EventListener<Event>
byte[] imageData = Base64.decodeBase64(dataUrl.substring(contentStartIndex).getBytes());
AImage img = new AImage(defaultNameForCaptureImage, imageData);
image.setContent(img);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
if (m_mImage == null)
m_mImage = new MImage (Env.getCtx(), 0, null);
@ -328,14 +353,25 @@ public class WImageDialog extends Window implements EventListener<Event>
return;
String fileName = imageFile.getName();
String mimeType = MimeType.getMimeType(fileName);
if (! autoPreviewList.contains(mimeType))
throw new AdempiereException(Msg.getMsg(Env.getCtx(), "UploadImageTypeNotAllowed"));
// See if we can load & display it
try
{
InputStream is = imageFile.getStreamData();
AImage aImage = new AImage(fileName, is);
image.setContent(aImage);
if (autoPreviewList.contains(mimeType)) {
image.setContent(aImage);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
} else {
image.setSrc(null);
image.setVisible(false);
}
is.close();
}