This is an automated email from the ASF dual-hosted git repository.
pgil pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new df9516e5ab Fixed: Avoid exploit using `..` special name in request uri.
df9516e5ab is described below
commit df9516e5ab711cf60cad67323b04ef55396d0b46
Author: Gil Portenseigne <[email protected]>
AuthorDate: Fri Dec 15 17:09:30 2023 +0100
Fixed: Avoid exploit using `..` special name in request uri.
Before, a user could bypass webapp filter rules using `..` notation
allowing to access to the complete docBase provided by tomcat.
Example `w3m https://localhost:8443/partymgr/control/../a.txt` could be
used to access `a.txt` file in partymgr webapp, even though `control` is
needed to pass filter rules.
---
.../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 302df37f51..df8960b9c9 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -19,6 +19,7 @@
package org.apache.ofbiz.webapp.control;
import java.io.IOException;
+import java.nio.file.Paths;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
@@ -159,6 +160,9 @@ public class ControlFilter extends HttpFilter {
}
}
+ // normalize to remove ".." special name usage to bypass webapp
filter
+ uri = Paths.get(uri).normalize().toString();
+
// Check if the requested URI is allowed.
if (allowedPaths.stream().anyMatch(uri::startsWith)) {
try {
