This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 9b5c721c2a31c1864f4f2d063d39b3eb49ac9656 Author: Jacques Le Roux <[email protected]> AuthorDate: Mon Sep 13 08:13:55 2021 +0200 Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304) The XXE vulnerability can read arbitrary files on the server. Thanks: thiscodecc for reporting this security issue (post-auth) --- .../java/org/apache/ofbiz/base/util/UtilValidate.java | 18 ++++++++++++++++-- .../org/apache/ofbiz/webtools/WebToolsServices.java | 5 +++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java index 8e6f002..e6b8b4e 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java @@ -741,8 +741,9 @@ public final class UtilValidate { return true; } - /** isUrl returns true if the string contains :// - * @param s String to validate + /** + * isUrl returns true if the string contains :// + * @param s String to validate Note: this does not handle "component://" specific to OFBiz * @return true if s contains :// */ public static boolean isUrl(String s) { @@ -756,6 +757,18 @@ public final class UtilValidate { } /** + * URLInString returns true if the string contains :// and not "component://" + * @param s String to validate + * @return true if s contains :// and not "component://" + */ + public static boolean URLInString(String s) { + if (isEmpty(s) || s.contains("component://")) { + return false; + } + return s.indexOf("://") != -1; + } + + /** * isValidUrl returns true if the string is a valid URL (using Commons UrlValidator) * @param s String to validate * @return true if s contains if the string is a valid URL (using Commons UrlValidator) @@ -767,6 +780,7 @@ public final class UtilValidate { return UrlValidator.getInstance().isValid(s); } + /** isYear returns true if string s is a valid * Year number. Must be 2 or 4 digits only. * diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java index a54194b..83a233b 100644 --- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java +++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java @@ -143,6 +143,11 @@ public class WebToolsServices { // ############################# // FM Template // ############################# + if (UtilValidate.URLInString(fulltext)) { + Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE); + Debug.logInfo("Rather load your data from a file", MODULE); + return null; + } if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) { File fmFile = new File(fmfilename); if (!fmFile.exists()) {
