midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-3980 (#711) 

* IDEMPIERE-3980

* IDEMPIERE-3980

Restrict uploading just to valid safe image file types

* IDEMPIERE-3980
This commit is contained in:
Carlos Ruiz 2021-06-08 16:42:47 +02:00 committed by GitHub
parent a4f67eb852
commit fa0b52abd6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 61 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
migration/i8.2/oracle/202106081633_IDEMPIERE-3980.sql Normal file
View File

@ -0,0 +1,11 @@
SET SQLBLANKLINES ON
SET DEFINE OFF
-- IDEMPIERE-3980
-- Jun 8, 2021, 4:32:50 PM CEST
INSERT INTO AD_Message (MsgType,MsgText,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,AD_Message_ID,Value,EntityType,AD_Message_UU) VALUES ('E','File not allowed for uploading, just image types jpg/png/gif/tiff/bmp/ico',0,0,'Y',TO_DATE('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,200711,'UploadImageTypeNotAllowed','D','7f3ed66b-6875-49e2-b45f-42ed9c7548e1')
;
SELECT register_migration_script('202106081633_IDEMPIERE-3980.sql') FROM dual
;

8
migration/i8.2/postgresql/202106081633_IDEMPIERE-3980.sql Normal file
View File

@ -0,0 +1,8 @@
-- IDEMPIERE-3980
-- Jun 8, 2021, 4:32:50 PM CEST
INSERT INTO AD_Message (MsgType,MsgText,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,AD_Message_ID,Value,EntityType,AD_Message_UU) VALUES ('E','File not allowed for uploading, just image types jpg/png/gif/tiff/bmp/ico',0,0,'Y',TO_TIMESTAMP('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2021-06-08 16:32:49','YYYY-MM-DD HH24:MI:SS'),100,200711,'UploadImageTypeNotAllowed','D','7f3ed66b-6875-49e2-b45f-42ed9c7548e1')
;
SELECT register_migration_script('202106081633_IDEMPIERE-3980.sql') FROM dual
;

40
org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WImageDialog.java
View File

@ -17,8 +17,11 @@
package org.adempiere.webui.window; package org.adempiere.webui.window;
import java.io.InputStream; import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import org.adempiere.exceptions.AdempiereException;
import org.adempiere.webui.AdempiereWebUI; import org.adempiere.webui.AdempiereWebUI;
import org.adempiere.webui.ClientInfo; import org.adempiere.webui.ClientInfo;
import org.adempiere.webui.LayoutUtils; import org.adempiere.webui.LayoutUtils;
@ -34,6 +37,7 @@ import org.apache.commons.codec.binary.Base64;
import org.compiere.model.MImage; import org.compiere.model.MImage;
import org.compiere.util.CLogger; import org.compiere.util.CLogger;
import org.compiere.util.Env; import org.compiere.util.Env;
import org.compiere.util.MimeType;
import org.compiere.util.Msg; import org.compiere.util.Msg;
import org.compiere.util.Util; import org.compiere.util.Util;
import org.zkoss.image.AImage; import org.zkoss.image.AImage;
@ -47,7 +51,7 @@ import org.zkoss.zul.Borderlayout;
import org.zkoss.zul.Center; import org.zkoss.zul.Center;
import org.zkoss.zul.Div; import org.zkoss.zul.Div;
import org.zkoss.zul.Hbox; import org.zkoss.zul.Hbox;
import org.zkoss.zul.Image; import org.zkoss.zul.Iframe;
import org.zkoss.zul.North; import org.zkoss.zul.North;
import org.zkoss.zul.Separator; import org.zkoss.zul.Separator;
import org.zkoss.zul.South; import org.zkoss.zul.South;
@ -97,6 +101,9 @@ public class WImageDialog extends Window implements EventListener<Event>
AImage aImage = new AImage(m_mImage.getName(), m_mImage.getData()); AImage aImage = new AImage(m_mImage.getName(), m_mImage.getData());
image.setContent(aImage); image.setContent(aImage);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
} catch (Exception e) { } catch (Exception e) {
log.log(Level.WARNING, "load image", e); log.log(Level.WARNING, "load image", e);
} }
@ -117,7 +124,7 @@ public class WImageDialog extends Window implements EventListener<Event>
private Panel parameterPanel = new Panel(); private Panel parameterPanel = new Panel();
private Button fileButton = new Button(); private Button fileButton = new Button();
private Button captureButton = new Button(); private Button captureButton = new Button();
private Image image = new Image(); private Iframe image = new Iframe();
private ConfirmPanel confirmPanel = new ConfirmPanel(true,false,true,false,false,false); private ConfirmPanel confirmPanel = new ConfirmPanel(true,false,true,false,false,false);
private boolean cancel = false; private boolean cancel = false;
private Textbox fileNameTextbox = new Textbox(); private Textbox fileNameTextbox = new Textbox();
@ -126,6 +133,18 @@ public class WImageDialog extends Window implements EventListener<Event>
private String defaultNameForCaptureImage = "CapturedImage"; private String defaultNameForCaptureImage = "CapturedImage";
private Button cancelCaptureButton; private Button cancelCaptureButton;
private static List<String> autoPreviewList;
static {
autoPreviewList = new ArrayList<String>();
autoPreviewList.add("image/jpeg");
autoPreviewList.add("image/png");
autoPreviewList.add("image/gif");
autoPreviewList.add("image/tiff");
autoPreviewList.add("image/bmp");
autoPreviewList.add("image/x-icon");
}
/** /**
* Static Init * Static Init
* @throws Exception * @throws Exception
@ -243,6 +262,9 @@ public class WImageDialog extends Window implements EventListener<Event>
{ {
AImage img = null; AImage img = null;
image.setContent(img); image.setContent(img);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
fileNameTextbox.setValue(null); fileNameTextbox.setValue(null);
} }
else if (e.getTarget() == captureButton) else if (e.getTarget() == captureButton)
@ -270,6 +292,9 @@ public class WImageDialog extends Window implements EventListener<Event>
byte[] imageData = Base64.decodeBase64(dataUrl.substring(contentStartIndex).getBytes()); byte[] imageData = Base64.decodeBase64(dataUrl.substring(contentStartIndex).getBytes());
AImage img = new AImage(defaultNameForCaptureImage, imageData); AImage img = new AImage(defaultNameForCaptureImage, imageData);
image.setContent(img); image.setContent(img);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
if (m_mImage == null) if (m_mImage == null)
m_mImage = new MImage (Env.getCtx(), 0, null); m_mImage = new MImage (Env.getCtx(), 0, null);
@ -328,6 +353,9 @@ public class WImageDialog extends Window implements EventListener<Event>
return; return;
String fileName = imageFile.getName(); String fileName = imageFile.getName();
String mimeType = MimeType.getMimeType(fileName);
if (! autoPreviewList.contains(mimeType))
throw new AdempiereException(Msg.getMsg(Env.getCtx(), "UploadImageTypeNotAllowed"));
// See if we can load & display it // See if we can load & display it
try try
@ -335,7 +363,15 @@ public class WImageDialog extends Window implements EventListener<Event>
InputStream is = imageFile.getStreamData(); InputStream is = imageFile.getStreamData();
AImage aImage = new AImage(fileName, is); AImage aImage = new AImage(fileName, is);
if (autoPreviewList.contains(mimeType)) {
image.setContent(aImage); image.setContent(aImage);
image.setClientAttribute("sandbox", "");
image.setVisible(true);
image.invalidate();
} else {
image.setSrc(null);
image.setVisible(false);
}
is.close(); is.close();
} }