[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

Mon, 21 Feb 2022 08:17:41 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new c638ec2  Fixed: Secure the uploads (OFBIZ-12080)
c638ec2 is described below

commit c638ec26f8a0d2b78f1f275dcc5ff934e3019a30
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Feb 21 17:02:12 2022 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Trivial change in DataServices.java: uses the SecuredUpload import in 2 
places
    it was missing.
    
    Adds some tokens in security.properties::deniedWebShellTokens
    Removes a duplicated htaccess in security.properties::deniedFileExtensions
---
 .../src/main/java/org/apache/ofbiz/content/data/DataServices.java | 4 ++--
 framework/security/config/security.properties                     | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git 
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
 
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index cec71ac..96a4b3f 100644
--- 
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++ 
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -205,7 +205,7 @@ public class DataServices {
         File file = new File(fileNameAndPath);
         if (!originalFileName.isEmpty()) {
             // Check the file name
-            if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFileName(originalFileName, 
delegator)) {
+            if (!SecuredUpload.isValidFileName(originalFileName, delegator)) {
                 String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                 return ServiceUtil.returnError(errorMessage);
             }
@@ -213,7 +213,7 @@ public class DataServices {
             // We would just have a better error message
             if (file.exists()) {
                 // Check if a webshell is not uploaded
-                if 
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileNameAndPath, "All", 
delegator)) {
+                if (!SecuredUpload.isValidFile(fileNameAndPath, "All", 
delegator)) {
                     String errorMessage = 
UtilProperties.getMessage("SecurityUiLabels", 
"SupportedFileFormatsIncludingSvg", locale);
                     return ServiceUtil.returnError(errorMessage);
                 }
diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index b11ec6a..70fb232 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -209,7 +209,7 @@ templateClassResolver=
 #-- List of denied files suffixes to be uploaded
 #-- OFBiz of course also check contents...
 
deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,php6,php7,phps,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\
-                     
vbs,js,reg,cgi,htaccess,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action
+                     
vbs,js,reg,cgi,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action
 #--
 #-- The upload vulnerability is only a post-auth (needs a credential with 
suitable permissions),
 #-- people may like to allow more than what is allowed OOTB
@@ -221,11 +221,11 @@ allowAllUploads=
 #-- "freemarker" should be OK, should not be used in Freemarker templates, not 
part of the syntax.
 #-- Else "template.utility.Execute" is a good replacement but not as much 
catching, who knows...
 #-- If you are sure you are safe for a token you can remove it, etc.
-deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,\
+deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(\
                      
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,\
-                     python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,\
-                     
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|
+                     python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget,\
+                     
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
 
 
 #-- Max line length for uploaded files, by default 10000

Reply via email to