This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 793628bb15521257a8ccdfec181daa4cdb501eea Author: Jacques Le Roux <[email protected]> AuthorDate: Sat Apr 4 19:32:02 2020 +0200 Fixed: Prevent Host Header Injection (CVE-2019-12425) (OFBIZ-11583) Conflicts handled by hand framework/security/config/security.properties framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java --- .../src/main/java/org/apache/ofbiz/base/util/UtilMisc.java | 13 +++++++++++++ framework/security/config/security.properties | 6 +++++- .../org/apache/ofbiz/webapp/control/RequestHandler.java | 10 ++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java index 2be803e..0f0a4f3 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java @@ -598,6 +598,19 @@ public final class UtilMisc { return LocaleHolder.availableLocaleList; } + /** List of domains or IP addresses to be checked to prevent Host Header Injection, + * no spaces after commas,no wildcard, can be extended of course... + * @return List of domains or IP addresses to be checked to prevent Host Header Injection, + */ + public static List<String> getHostHeadersAllowed() { + String hostHeadersAllowedString = UtilProperties.getPropertyValue("security", "host-headers-allowed", "localhost"); + List<String> hostHeadersAllowed = null; + if (UtilValidate.isNotEmpty(hostHeadersAllowedString)) { + hostHeadersAllowed = StringUtil.split(hostHeadersAllowedString, ","); + } + return Collections.unmodifiableList(hostHeadersAllowed); + } + /** @deprecated use Thread.sleep() */ @Deprecated public static void staticWait(long timeout) throws InterruptedException { diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 5b809ff..2a044d6 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -135,6 +135,10 @@ security.login.externalLoginKey.enabled=true # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality. login.secret_key_string=Secret Key -# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed +# -- List of domains or IP addresses to be checked to prevent Host Header Injection, +# -- no spaces after commas,no wildcard, can be extended of course... +host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org + +# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed SameSiteCookieAttribute= diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java index 6802da1..ea0655d 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java @@ -76,6 +76,8 @@ public class RequestHandler { private final URL controllerConfigURL; private final boolean trackServerHit; private final boolean trackVisit; + private final List hostHeadersAllowed; + private ControllerConfig ccfg; public static RequestHandler getRequestHandler(ServletContext servletContext) { RequestHandler rh = (RequestHandler) servletContext.getAttribute("_REQUEST_HANDLER_"); @@ -100,6 +102,9 @@ public class RequestHandler { this.trackServerHit = !"false".equalsIgnoreCase(context.getInitParameter("track-serverhit")); this.trackVisit = !"false".equalsIgnoreCase(context.getInitParameter("track-visit")); + + hostHeadersAllowed = UtilMisc.getHostHeadersAllowed(); + } public ConfigXMLReader.ControllerConfig getControllerConfig() { @@ -122,6 +127,11 @@ public class RequestHandler { public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain, GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests { + if (!hostHeadersAllowed.contains(request.getServerName())) { + Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module); + throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection "); + } + final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase( "requestHandler", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator); long startTime = System.currentTimeMillis();
