[ofbiz-framework] 03/03: Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)

Mon, 13 Sep 2021 00:30:36 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit d4297a1c2902b42acc1e94a608265e615f7ae2fd
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Sep 13 08:13:55 2021 +0200

    Fixed: Found a new XXE (XML External Entity Injection) vulnerability in 
EntityImport (OFBIZ-12304)
    
    The XXE vulnerability can read arbitrary files on the server.
    
    Thanks: thiscodecc for reporting this security issue (post-auth)
---
 .../main/java/org/apache/ofbiz/base/util/UtilValidate.java   | 12 ++++++++++++
 .../java/org/apache/ofbiz/webtools/WebToolsServices.java     |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
index e6b8b4e..5322ad7 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
@@ -769,6 +769,18 @@ public final class UtilValidate {
     }
 
     /**
+     * urlInString returns true if the string contains :// and not 
"component://"
+     * @param s String to validate
+     * @return true if s contains :// and not "component://"
+     */
+    public static boolean urlInString(String s) {
+        if (isEmpty(s) || s.contains("component://")) {
+            return false;
+        }
+        return s.indexOf("://") != -1;
+    }
+
+    /**
      * isValidUrl returns true if the string is a valid URL (using Commons 
UrlValidator)
      * @param s String to validate
      * @return true if s contains if the string is a valid URL (using Commons 
UrlValidator)
diff --git 
a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
 
b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index 83a233b..633c10a 100644
--- 
a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ 
b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -143,7 +143,7 @@ public class WebToolsServices {
         // #############################
         // FM Template
         // #############################
-        if (UtilValidate.URLInString(fulltext)) {
+        if (UtilValidate.urlInString(fulltext)) {
             Debug.logError("For security reason HTTP URLs are not accepted, 
see OFBIZ-12304", MODULE);
             Debug.logInfo("Rather load your data from a file", MODULE);
             return null;

Reply via email to