This is an automated email from the ASF dual-hosted git repository.
pgil pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new d7456c92de Fixed: Avoid exploit using `..` special name in request uri.
d7456c92de is described below
commit d7456c92de84cc41220aadfed175fd73397c0356
Author: Gil Portenseigne <[email protected]>
AuthorDate: Fri Dec 15 15:04:50 2023 +0100
Fixed: Avoid exploit using `..` special name in request uri.
Before, a user could bypass webapp filter rules using `..` notation
allowing to access to the complete docBase provided by tomcat.
Example `w3m https://localhost:8443/partymgr/control/../a.txt` could be
used to access `a.txt` file in partymgr webapp, even though `control` is
needed to pass filter rules.
---
.../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index e298f3fd93..f1fe5cb7f3 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -19,6 +19,7 @@
package org.apache.ofbiz.webapp.control;
import java.io.IOException;
+import java.nio.file.Paths;
import java.util.HashSet;
import java.util.Set;
@@ -130,6 +131,9 @@ public class ControlFilter implements Filter {
// check to make sure the requested url is allowed
// get the request URI without the webapp mount point
String requestUri =
httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
+
+ // normalize to remove ".." special name usage to bypass webapp
filter
+ requestUri = Paths.get(requestUri).normalize().toString();
int offset = requestUri.indexOf("/", 1);
if (offset == -1) {
offset = requestUri.length();
