This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 7e006178282eba3de1a1ed6636a9516fe7a626af Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Mon Sep 13 08:10:14 2021 +0200 Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306) The XXE vulnerability can read arbitrary files on the server. Thanks: thiscodecc for reporting this security issue (post-auth) --- .../base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java | 2 +- .../webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java index f938dc3..4403822 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java @@ -146,8 +146,8 @@ public final class UtilURL { try { url = new URL(urlString); } catch (MalformedURLException e) { + // We purposely don't want to do anything here } - return url; } diff --git a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy index 7edebdf..afa2cb5 100644 --- a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy +++ b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy @@ -17,12 +17,16 @@ * under the License. */ -import org.apache.ofbiz.entity.Delegator -import org.apache.ofbiz.webtools.artifactinfo.* -import org.apache.ofbiz.base.util.* +import org.apache.ofbiz.base.util.Debug +import org.apache.ofbiz.base.util.UtilURL +import org.apache.ofbiz.webtools.artifactinfo.ArtifactInfoFactory name = parameters.name location = parameters.location +if (UtilURL.fromUrlString(location)) { + Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12306", "ArtifactInfo.groovy") + return +} type = parameters.type uniqueId = parameters.uniqueId delegatorName = delegator.getDelegatorName()