[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

Mon, 14 Dec 2020 10:02:49 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new e3c2741  Fixed: Secure the uploads (OFBIZ-12080)
e3c2741 is described below

commit e3c274128b9e447dc34f7114c91ad2098a683422
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Dec 14 19:00:37 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    According to https://s.apache.org/rpzog, adds few, maybe redundant, Java
    API/methods found in webshell, or alike, source code
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 273bdf5..d9c0952 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -111,8 +111,8 @@ public class SecuredUpload {
                 return false;
             } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
                 Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-                        + "in which the file name and also the extension 
should not be empty at all  ",
+                        + " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
+                        + "The file name and the extension should not be empty 
at all",
                         MODULE);
                 return false;
             }
@@ -122,8 +122,8 @@ public class SecuredUpload {
                 return false;
             } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
                 Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-                        + "in which the file name and also the extension 
should not be empty at all  ",
+                        + " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
+                        + "Tthe file name and the extension should not be 
empty at all",
                         MODULE);
                 return false;
             }
@@ -619,6 +619,12 @@ public class SecuredUpload {
                 || content.toLowerCase().contains("mkdir")
                 || content.toLowerCase().contains("fopen")
                 || content.toLowerCase().contains("fclose")
+                || content.toLowerCase().contains("new file")
+                || content.toLowerCase().contains("import")
+                || content.toLowerCase().contains("upload")
+                || content.toLowerCase().contains("getFileName")
+                || content.toLowerCase().contains("Download")
+                || content.toLowerCase().contains("getOutputString")
                 || content.toLowerCase().contains("readfile"));
         // TODO.... to be continued with known webshell contents... a complete 
allow list is impossible anyway...
         // eg: 
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/

Reply via email to