This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 5530e23738e52d9db35f19bd4d97530bc0a0d762 Author: Jacques Le Roux <[email protected]> AuthorDate: Sat Apr 4 19:32:02 2020 +0200 Fixed: Prevent Host Header Injection (CVE-2019-12425) (OFBIZ-11583) --- .../src/main/java/org/apache/ofbiz/base/util/UtilMisc.java | 13 +++++++++++++ framework/security/config/security.properties | 6 +++++- .../org/apache/ofbiz/webapp/control/RequestHandler.java | 9 +++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java index 7f76944..b6985a6 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java @@ -615,6 +615,19 @@ public final class UtilMisc { return LocaleHolder.availableLocaleList; } + /** List of domains or IP addresses to be checked to prevent Host Header Injection, + * no spaces after commas,no wildcard, can be extended of course... + * @return List of domains or IP addresses to be checked to prevent Host Header Injection, + */ + public static List<String> getHostHeadersAllowed() { + String hostHeadersAllowedString = UtilProperties.getPropertyValue("security", "host-headers-allowed", "localhost"); + List<String> hostHeadersAllowed = null; + if (UtilValidate.isNotEmpty(hostHeadersAllowedString)) { + hostHeadersAllowed = StringUtil.split(hostHeadersAllowedString, ","); + } + return Collections.unmodifiableList(hostHeadersAllowed); + } + /** @deprecated use Thread.sleep() */ @Deprecated public static void staticWait(long timeout) throws InterruptedException { diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index b9e0b2e..f5d3120 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -152,6 +152,10 @@ security.internal.sso.enabled=false # -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key security.token.key=security.token.key -# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed +# -- List of domains or IP addresses to be checked to prevent Host Header Injection, +# -- no spaces after commas,no wildcard, can be extended of course... +host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org + +# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed SameSiteCookieAttribute= diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java index e1d1745..a310e52 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java @@ -82,6 +82,7 @@ public class RequestHandler { private final URL controllerConfigURL; private final boolean trackServerHit; private final boolean trackVisit; + private final List hostHeadersAllowed; private ControllerConfig ccfg; static class ControllerConfig { @@ -167,6 +168,9 @@ public class RequestHandler { this.trackServerHit = !"false".equalsIgnoreCase(context.getInitParameter("track-serverhit")); this.trackVisit = !"false".equalsIgnoreCase(context.getInitParameter("track-visit")); + + hostHeadersAllowed = UtilMisc.getHostHeadersAllowed(); + } public ConfigXMLReader.ControllerConfig getControllerConfig() { @@ -235,6 +239,11 @@ public class RequestHandler { public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain, GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests { + if (!hostHeadersAllowed.contains(request.getServerName())) { + Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module); + throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection "); + } + final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase( "requestHandler", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator); long startTime = System.currentTimeMillis();
