[ https://issues.apache.org/jira/browse/OFBIZ-12794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-12794. ----------------------------------- Resolution: Fixed > Disallow string concatenation in uploaded files > ----------------------------------------------- > > Key: OFBIZ-12794 > URL: https://issues.apache.org/jira/browse/OFBIZ-12794 > Project: OFBiz > Issue Type: Bug > Components: framework/security > Affects Versions: 22.01.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 22.01.01 > > > An external security reporter brought to our attention that a signed up user > could upload a webshell using string concatenation. Of course there is no > reason for a signed up user to upload a webshell. And anyway we don't create > CVEs for signed up users trying our security. > Nevertheless we have decided to fix this possibility while allowing to bypass > it using a new security property. The later can be usefull when a file must > contain a string concatenation, images files, seen as encoded texts, come to > mind. -- This message was sent by Atlassian Jira (v8.20.10#820010)