This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit d4297a1c2902b42acc1e94a608265e615f7ae2fd Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Mon Sep 13 08:13:55 2021 +0200 Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304) The XXE vulnerability can read arbitrary files on the server. Thanks: thiscodecc for reporting this security issue (post-auth) --- .../main/java/org/apache/ofbiz/base/util/UtilValidate.java | 12 ++++++++++++ .../java/org/apache/ofbiz/webtools/WebToolsServices.java | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java index e6b8b4e..5322ad7 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java @@ -769,6 +769,18 @@ public final class UtilValidate { } /** + * urlInString returns true if the string contains :// and not "component://" + * @param s String to validate + * @return true if s contains :// and not "component://" + */ + public static boolean urlInString(String s) { + if (isEmpty(s) || s.contains("component://")) { + return false; + } + return s.indexOf("://") != -1; + } + + /** * isValidUrl returns true if the string is a valid URL (using Commons UrlValidator) * @param s String to validate * @return true if s contains if the string is a valid URL (using Commons UrlValidator) diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java index 83a233b..633c10a 100644 --- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java +++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java @@ -143,7 +143,7 @@ public class WebToolsServices { // ############################# // FM Template // ############################# - if (UtilValidate.URLInString(fulltext)) { + if (UtilValidate.urlInString(fulltext)) { Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE); Debug.logInfo("Rather load your data from a file", MODULE); return null;