[ofbiz-framework] 01/03: Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)

Mon, 13 Sep 2021 00:30:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 7e006178282eba3de1a1ed6636a9516fe7a626af
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Sep 13 08:10:14 2021 +0200

    Fixed: Found a new XXE (XML External Entity Injection) vulnerability in 
ArtifactInfo (OFBIZ-12306)
    
    The XXE vulnerability can read arbitrary files on the server.
    
    Thanks: thiscodecc for reporting this security issue (post-auth)
---
 .../base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java |  2 +-
 .../webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy    | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
index f938dc3..4403822 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
@@ -146,8 +146,8 @@ public final class UtilURL {
         try {
             url = new URL(urlString);
         } catch (MalformedURLException e) {
+            // We purposely don't want to do anything here
         }
-
         return url;
     }
 
diff --git a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy 
b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
index 7edebdf..afa2cb5 100644
--- a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
+++ b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
@@ -17,12 +17,16 @@
  * under the License.
  */
 
-import org.apache.ofbiz.entity.Delegator
-import org.apache.ofbiz.webtools.artifactinfo.*
-import org.apache.ofbiz.base.util.*
+import org.apache.ofbiz.base.util.Debug
+import org.apache.ofbiz.base.util.UtilURL
+import org.apache.ofbiz.webtools.artifactinfo.ArtifactInfoFactory
 
 name = parameters.name
 location = parameters.location
+if (UtilURL.fromUrlString(location)) {
+    Debug.logError("For security reason HTTP URLs are not accepted, see 
OFBIZ-12306", "ArtifactInfo.groovy")
+    return
+}
 type = parameters.type
 uniqueId = parameters.uniqueId
 delegatorName = delegator.getDelegatorName()

Reply via email to