[ https://issues.apache.org/jira/browse/OFBIZ-12794?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709865#comment-17709865 ]
ASF subversion and git services commented on OFBIZ-12794: --------------------------------------------------------- Commit 4cb8ff7097117eb8ebc9302808afdbc221f1fafe in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4cb8ff7097 ] Fixed: Disallow string concatenation in uploaded files (OFBIZ-12794) An external security reporter brought to our attention that a signed up user could upload a webshell using string concatenation. Of course there is no reason for a signed up user to upload a webshell. And anyway we don't create CVEs for signed up users trying our security. Nevertheless we have decided to fix this possibility while allowing to bypass it using a new security property. The later can be useful when a file must contain a string concatenation, images files, seen as encoded texts, come to mind. Thanks: so far unknown security reporter > Disallow string concatenation in uploaded files > ----------------------------------------------- > > Key: OFBIZ-12794 > URL: https://issues.apache.org/jira/browse/OFBIZ-12794 > Project: OFBiz > Issue Type: Bug > Components: framework/security > Affects Versions: 22.01.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 22.01.01 > > > An external security reporter brought to our attention that a signed up user > could upload a webshell using string concatenation. Of course there is no > reason for a signed up user to upload a webshell. And anyway we don't create > CVEs for signed up users trying our security. > Nevertheless we have decided to fix this possibility while allowing to bypass > it using a new security property. The later can be usefull when a file must > contain a string concatenation, images files, seen as encoded texts, come to > mind. -- This message was sent by Atlassian Jira (v8.20.10#820010)