buildbot success in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a restored build on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2197 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] a83faaf15af5054d6a8997b8b6810aa4da49b504 Blamelist: Nicolas Malin Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Fixed: Rendering widget screen from ftl with the current context : java doc generation error (OFBIZ-12310)
This is an automated email from the ASF dual-hosted git repository. nmalin pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new a83faaf Fixed: Rendering widget screen from ftl with the current context : java doc generation error (OFBIZ-12310) a83faaf is described below commit a83faaf15af5054d6a8997b8b6810aa4da49b504 Author: Nicolas Malin AuthorDate: Fri Sep 3 20:59:52 2021 +0200 Fixed: Rendering widget screen from ftl with the current context : java doc generation error (OFBIZ-12310) Correction previous commit with invalid character on the javadoc. --- .../main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java index 977d593..6ec47c8 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java @@ -47,16 +47,16 @@ import org.xml.sax.SAXException; * OfbizScreenTransform - Freemarker Transform to display a screen by is location and name * * You can call a Ofbiz screen with the ftl context with simple macro - * <@ofbizScreen>component://mycomponent/widget/MyComponentScreens.xml#MyScreen + * ofbizScreencomponent://mycomponent/widget/MyComponentScreens.xml#MyScreen/ofbizScreen * * You can also write - *<@ofbizScreen location="component://mycomponent/widget/MyComponentScreens.xml" name="MyScreen"/> + *ofbizScreen location="component://mycomponent/widget/MyComponentScreens.xml" name="MyScreen"/ * * Or set a default location on your context *action : *context.defaultTemplateLocation = "component://mycomponent/widget/MyComponentScreens.xml" *widget : - *<@ofbizScreen>MyScreen + *ofbizScreenMyScreen/ofbizScreen * */ public class OfbizScreenTransform implements TemplateTransformModel {
buildbot exception in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a build exception on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2196 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 26a9dc73366a3f37a716d7d7e54b378a3ac2fc4d Blamelist: Nicolas Malin BUILD FAILED: exception javadoc upload test-results part 1 Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Implemented: Rendering widget screen from ftl with the current context (OFBIZ-12310)
This is an automated email from the ASF dual-hosted git repository. nmalin pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 26a9dc7 Implemented: Rendering widget screen from ftl with the current context (OFBIZ-12310) 26a9dc7 is described below commit 26a9dc73366a3f37a716d7d7e54b378a3ac2fc4d Author: Nicolas Malin AuthorDate: Fri Sep 3 18:29:48 2021 +0200 Implemented: Rendering widget screen from ftl with the current context (OFBIZ-12310) Currently, when you would be rendering a widget screen from a ftl template, you can use a element screen present on context to call the renderer : ${screens.render("component://common/widget/CommonScreens.xml#countries")} This rendering is realized with the context present when the object screen has been initialized. To simplify the screen call from freemarker template, I implemented a new macro ofbizScreen You can call a Ofbiz screen with the ftl context with simple macro <@ofbizScreen>component://mycomponent/widget/MyComponentScreens.xml#MyScreen You can also write <@ofbizScreen location="component://mycomponent/widget/MyComponentScreens.xml" name="MyScreen"/> Or set a default location on your context action : context.defaultTemplateLocation = "component://mycomponent/widget/MyComponentScreens.xml" widget : <@ofbizScreen>MyScreen When the screen would be call, the context to rendering the screen would be use the current context: <#list contactMechs as contactMech> <#assign contactMechId = contactMech.contachMechId/> <@ofbizScreen>component://mycomponent/widget/MyComponentScreens.xml#DisplayContactMech --- .../party/template/party/EditContactMech.ftl | 4 +- .../ofbiz/webapp/ftl/OfbizScreenTransform.java | 149 + .../ofbiz/webapp/freemarkerTransforms.properties | 1 + 3 files changed, 152 insertions(+), 2 deletions(-) diff --git a/applications/party/template/party/EditContactMech.ftl b/applications/party/template/party/EditContactMech.ftl index 53a4fcd..f418ab3 100644 --- a/applications/party/template/party/EditContactMech.ftl +++ b/applications/party/template/party/EditContactMech.ftl @@ -165,14 +165,14 @@ under the License. - ${screens.render("component://common/widget/CommonScreens.xml#countries")} <#if (mechMap.postalAddress??) && (mechMap.postalAddress.countryGeoId??)> <#assign defaultCountryGeoId = mechMap.postalAddress.countryGeoId> <#else> <#assign defaultCountryGeoId = Static["org.apache.ofbiz.entity.util.EntityUtilProperties"].getPropertyValue("general", "country.geo.id.default", delegator)> + <@ofbizScreen>countries -<#assign countryGeo = delegator.findOne("Geo",Static["org.apache.ofbiz.base.util.UtilMisc"].toMap("geoId",defaultCountryGeoId), false)> +<#assign countryGeo = delegator.findOne("Geo", {"geoId": defaultCountryGeoId}, false)> ${countryGeo.get("geoName",locale)} diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java new file mode 100644 index 000..977d593 --- /dev/null +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java @@ -0,0 +1,149 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.webapp.ftl; + +import freemarker.core.Environment; +import freemarker.ext.beans.BeanModel; +import freemarker.template.TemplateException; +import freemarker.template.TemplateModelException; +import freemarker.template.TemplateTransformModel; +import freemarker.template.TemplateScalarModel; +import
[ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new 1b907b0 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) 1b907b0 is described below commit 1b907b06e86ee1b6fb73f45e9cc0cbf4b384193c Author: Jacques Le Roux AuthorDate: Fri Sep 3 16:46:36 2021 +0200 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) Safer completing solution as recommended by weinull orz Previous commit was OK, but better be safe than sorry ;) Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time Thanks: weinull orz for the the right suggestion (done 2021-08-13) --- .../org/apache/ofbiz/content/data/DataServices.java | 14 +++--- .../ofbiz/product/imagemanagement/FrameImage.java| 6 +++--- .../imagemanagement/ImageManagementServices.java | 20 +--- .../ofbiz/product/product/ProductServices.java | 13 ++--- .../org/apache/ofbiz/security/SecuredUpload.java | 4 ++-- 5 files changed, 27 insertions(+), 30 deletions(-) diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java index 2b30528..b6b17df 100644 --- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java +++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java @@ -259,14 +259,14 @@ public class DataServices { } } else if (binData != null) { try { -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.write(binData.array()); -out.close(); // Check if a webshell is not uploaded if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } +RandomAccessFile out = new RandomAccessFile(file, "rw"); +out.write(binData.array()); +out.close(); } catch (FileNotFoundException | ImageReadException e) { Debug.logError(e, module); @@ -459,15 +459,15 @@ public class DataServices { } } else if (binData != null) { try { -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.setLength(binData.array().length); -out.write(binData.array()); -out.close(); // Check if a webshell is not uploaded if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } +RandomAccessFile out = new RandomAccessFile(file, "rw"); +out.setLength(binData.array().length); +out.write(binData.array()); +out.close(); } catch (FileNotFoundException | ImageReadException e) { Debug.logError(e, module); return ServiceUtil.returnError(UtilProperties.getMessage(resource, "ContentUnableToOpenFileForWriting", UtilMisc.toMap("fileName", file.getAbsolutePath()), locale)); diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java index b84717b..e942586 100644 --- a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java +++ b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java @@ -292,14 +292,14 @@ public class FrameImage { request.setAttribute("_ERROR_MESSAGE_", "There is an existing frame, please select from the existing frame."); return "error"; } -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.write(imageData.array()); -out.close(); if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Image", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); request.setAttribute("_ERROR_MESSAGE_",
buildbot success in on ofbizTrunkFramework
The Buildbot has detected a restored build on builder ofbizTrunkFramework while building . Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2293 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after BuildBot error Build Source Stamp: HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 4088e0a Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) 4088e0a is described below commit 4088e0a28e5185294337a12b65b80353e49f62e0 Author: Jacques Le Roux AuthorDate: Fri Sep 3 16:46:36 2021 +0200 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) Safer completing solution as recommended by weinull orz Previous commit was OK, but better be safe than sorry ;) Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time Thanks: weinull orz for the the right suggestion (done 2021-08-13) --- .../org/apache/ofbiz/content/data/DataServices.java | 14 +++--- .../ofbiz/product/imagemanagement/FrameImage.java| 6 +++--- .../imagemanagement/ImageManagementServices.java | 20 +--- .../ofbiz/product/product/ProductServices.java | 13 ++--- .../org/apache/ofbiz/security/SecuredUpload.java | 4 ++-- 5 files changed, 27 insertions(+), 30 deletions(-) diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java index 14e4113..4b644f4 100644 --- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java +++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java @@ -258,14 +258,14 @@ public class DataServices { } } else if (binData != null) { try { -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.write(binData.array()); -out.close(); // Check if a webshell is not uploaded if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } +RandomAccessFile out = new RandomAccessFile(file, "rw"); +out.write(binData.array()); +out.close(); } catch (FileNotFoundException | ImageReadException e) { Debug.logError(e, module); @@ -458,15 +458,15 @@ public class DataServices { } } else if (binData != null) { try { -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.setLength(binData.array().length); -out.write(binData.array()); -out.close(); // Check if a webshell is not uploaded if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } +RandomAccessFile out = new RandomAccessFile(file, "rw"); +out.setLength(binData.array().length); +out.write(binData.array()); +out.close(); } catch (FileNotFoundException | ImageReadException e) { Debug.logError(e, module); return ServiceUtil.returnError(UtilProperties.getMessage(resource, "ContentUnableToOpenFileForWriting", UtilMisc.toMap("fileName", file.getAbsolutePath()), locale)); diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java index 217b855..459a042 100644 --- a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java +++ b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java @@ -307,14 +307,14 @@ public class FrameImage { request.setAttribute("_ERROR_MESSAGE_", "There is an existing frame, please select from the existing frame."); return "error"; } -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.write(imageData.array()); -out.close(); if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Image", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); request.setAttribute("_ERROR_MESSAGE_",
[ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 9ea7c6d Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) 9ea7c6d is described below commit 9ea7c6d52456e8a0b721d4c23a13e5c843f07658 Author: Jacques Le Roux AuthorDate: Fri Sep 3 16:46:36 2021 +0200 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) Safer completing solution as recommended by weinull orz Previous commit was OK, but better be safe than sorry ;) Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time Thanks: weinull orz for the the right suggestion (done 2021-08-13) --- .../org/apache/ofbiz/content/data/DataServices.java | 14 +++--- .../ofbiz/product/imagemanagement/FrameImage.java| 6 +++--- .../imagemanagement/ImageManagementServices.java | 20 +--- .../ofbiz/product/product/ProductServices.java | 13 ++--- .../org/apache/ofbiz/security/SecuredUpload.java | 4 ++-- 5 files changed, 27 insertions(+), 30 deletions(-) diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java index f63c1b3..8589096 100644 --- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java +++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java @@ -262,14 +262,14 @@ public class DataServices { } } else if (binData != null) { try { -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.write(binData.array()); -out.close(); // Check if a webshell is not uploaded if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } +RandomAccessFile out = new RandomAccessFile(file, "rw"); +out.write(binData.array()); +out.close(); } catch (FileNotFoundException | ImageReadException e) { Debug.logError(e, MODULE); @@ -465,15 +465,15 @@ public class DataServices { } } else if (binData != null) { try { -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.setLength(binData.array().length); -out.write(binData.array()); -out.close(); // Check if a webshell is not uploaded if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } +RandomAccessFile out = new RandomAccessFile(file, "rw"); +out.setLength(binData.array().length); +out.write(binData.array()); +out.close(); } catch (FileNotFoundException | ImageReadException e) { Debug.logError(e, MODULE); return ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE, "ContentUnableToOpenFileForWriting", diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java index 3a9beed..6d9a86b 100644 --- a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java +++ b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java @@ -315,14 +315,14 @@ public class FrameImage { request.setAttribute("_ERROR_MESSAGE_", "There is an existing frame, please select from the existing frame."); return "error"; } -RandomAccessFile out = new RandomAccessFile(file, "rw"); -out.write(imageData.array()); -out.close(); if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(), "Image", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); request.setAttribute("_ERROR_MESSAGE_", errorMessage); return "error"; } +
buildbot failure in on ofbizTrunkFramework
The Buildbot has detected a new failure on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2292 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] 3bfb03eaad921dbe26907b7e7742f432d2f9577f Blamelist: Jacques Le Roux BUILD FAILED: failed testIntegration Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 3bfb03e Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) 3bfb03e is described below commit 3bfb03eaad921dbe26907b7e7742f432d2f9577f Author: Jacques Le Roux AuthorDate: Fri Sep 3 13:47:15 2021 +0200 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) The fix I did is two folds: filters extensions (thanks to Zhujie's suggestion of a list of extensions to ban) deletes bad files at the right place (thanks to thiscodecc's report) Thanks: thiscodecc for the security report --- framework/security/config/security.properties | 6 ++- .../org/apache/ofbiz/security/SecuredUpload.java | 55 +- 2 files changed, 47 insertions(+), 14 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 00d1e6f..edc5d4c 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -201,7 +201,7 @@ csrf.defense.strategy= templateClassResolver= -#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP +#-- = UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP #-- #-- No proprietary file formats (Excel, Word, etc.) are handled OOTB. #-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection: @@ -224,6 +224,10 @@ templateClassResolver= #-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads #-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile #-- +#-- List of denied files suffixes to be uploaded +#-- OFBiz of course also check contents... +deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm,cfc,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1 +#-- #-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions), #-- people may like to allow more than what is allowed OOTB #-- As it name says, allowAllUploads opens all possibilities diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 2c7913c..812aa71 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -38,6 +38,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.LinkedList; import java.util.List; import java.util.Set; import java.util.UUID; @@ -60,8 +61,12 @@ import org.apache.commons.imaging.formats.jpeg.JpegImageParser; import org.apache.commons.imaging.formats.png.PngImageParser; import org.apache.commons.imaging.formats.tiff.TiffImageParser; import org.apache.commons.io.FileUtils; +import org.apache.commons.io.FilenameUtils; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.FileUtil; +import org.apache.ofbiz.base.util.StringUtil; +import org.apache.ofbiz.base.util.UtilProperties; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.entity.Delegator; import org.apache.ofbiz.entity.util.EntityUtilProperties; import org.apache.pdfbox.pdmodel.PDDocument; @@ -91,6 +96,7 @@ public class SecuredUpload { // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP private static final String MODULE = SecuredUpload.class.getName(); +private static final List deniedFileExtensions = deniedFileExtensions(); /** * @param fileToCheck @@ -107,28 +113,33 @@ public class SecuredUpload { String imageServerUrl = EntityUtilProperties.getPropertyValue("catalog", "image.management.url", delegator); Path p = Paths.get(fileToCheck); -String file = p.getFileName().toString(); +String fileName = p.getFileName().toString(); // The file name is the farthest element from the root in the directory hierarchy. boolean wrongFile = true; + +if (deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) { +Debug.logError("This file extension is not allowed for security reason", MODULE); +deleteBadFile(fileToCheck); +return false; +} + if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { -if (fileToCheck.length() > 259) { +if (fileToCheck.length() < 259) { Debug.logError("Uploaded file name too
[ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new d0b4f2d Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) d0b4f2d is described below commit d0b4f2d164382c631ad69ce50678e0087dc2c287 Author: Jacques Le Roux AuthorDate: Fri Sep 3 13:47:15 2021 +0200 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) The fix I did is two folds: filters extensions (thanks to Zhujie's suggestion of a list of extensions to ban) deletes bad files at the right place (thanks to thiscodecc's report) Thanks: thiscodecc for the security report --- framework/security/config/security.properties | 6 ++- .../org/apache/ofbiz/security/SecuredUpload.java | 55 +- 2 files changed, 47 insertions(+), 14 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 6bbdda1..bd45b9f 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -168,7 +168,7 @@ SameSiteCookieAttribute= templateClassResolver= -#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP +#-- = UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP #-- #-- No proprietary file formats (Excel, Word, etc.) are handled OOTB. #-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection: @@ -191,6 +191,10 @@ templateClassResolver= #-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads #-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile #-- +#-- List of denied files suffixes to be uploaded +#-- OFBiz of course also check contents... +deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm,cfc,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1 +#-- #-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions), #-- people may like to allow more than what is allowed OOTB #-- As it name says, allowAllUploads opens all possibilities diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 3dfdcc8..59ef0fe 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -38,6 +38,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.LinkedList; import java.util.List; import java.util.Set; import java.util.UUID; @@ -60,8 +61,12 @@ import org.apache.commons.imaging.formats.jpeg.JpegImageParser; import org.apache.commons.imaging.formats.png.PngImageParser; import org.apache.commons.imaging.formats.tiff.TiffImageParser; import org.apache.commons.io.FileUtils; +import org.apache.commons.io.FilenameUtils; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.FileUtil; +import org.apache.ofbiz.base.util.StringUtil; +import org.apache.ofbiz.base.util.UtilProperties; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.entity.Delegator; import org.apache.ofbiz.entity.util.EntityUtilProperties; import org.apache.pdfbox.pdmodel.PDDocument; @@ -91,6 +96,7 @@ public class SecuredUpload { // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP private static final String MODULE = SecuredUpload.class.getName(); +private static final List deniedFileExtensions = deniedFileExtensions(); /** * @param fileToCheck @@ -107,28 +113,33 @@ public class SecuredUpload { String imageServerUrl = EntityUtilProperties.getPropertyValue("catalog", "image.management.url", delegator); Path p = Paths.get(fileToCheck); -String file = p.getFileName().toString(); +String fileName = p.getFileName().toString(); // The file name is the farthest element from the root in the directory hierarchy. boolean wrongFile = true; + +if (deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) { +Debug.logError("This file extension is not allowed for security reason", MODULE); +deleteBadFile(fileToCheck); +return false; +} + if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { -if (fileToCheck.length() > 259) { +if (fileToCheck.length() < 259) { Debug.logError("Uploaded
[ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new dfd71bf Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) dfd71bf is described below commit dfd71bf7dd552a7cdc287bcb6e2da30cee4cd093 Author: Jacques Le Roux AuthorDate: Fri Sep 3 13:47:15 2021 +0200 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) The fix I did is two folds: filters extensions (thanks to Zhujie's suggestion of a list of extensions to ban) deletes bad files at the right place (thanks to thiscodecc's report) Thanks: thiscodecc for the security report --- framework/security/config/security.properties | 6 ++- .../org/apache/ofbiz/security/SecuredUpload.java | 55 +- 2 files changed, 47 insertions(+), 14 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index c19ccc6..c0ff597 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -151,7 +151,7 @@ SameSiteCookieAttribute= templateClassResolver= -#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP +#-- = UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP #-- #-- No proprietary file formats (Excel, Word, etc.) are handled OOTB. #-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection: @@ -174,6 +174,10 @@ templateClassResolver= #-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads #-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile #-- +#-- List of denied files suffixes to be uploaded +#-- OFBiz of course also check contents... +deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm,cfc,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1 +#-- #-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions), #-- people may like to allow more than what is allowed OOTB #-- As it name says, allowAllUploads opens all possibilities diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 3dfdcc8..59ef0fe 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -38,6 +38,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.LinkedList; import java.util.List; import java.util.Set; import java.util.UUID; @@ -60,8 +61,12 @@ import org.apache.commons.imaging.formats.jpeg.JpegImageParser; import org.apache.commons.imaging.formats.png.PngImageParser; import org.apache.commons.imaging.formats.tiff.TiffImageParser; import org.apache.commons.io.FileUtils; +import org.apache.commons.io.FilenameUtils; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.FileUtil; +import org.apache.ofbiz.base.util.StringUtil; +import org.apache.ofbiz.base.util.UtilProperties; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.entity.Delegator; import org.apache.ofbiz.entity.util.EntityUtilProperties; import org.apache.pdfbox.pdmodel.PDDocument; @@ -91,6 +96,7 @@ public class SecuredUpload { // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP private static final String MODULE = SecuredUpload.class.getName(); +private static final List deniedFileExtensions = deniedFileExtensions(); /** * @param fileToCheck @@ -107,28 +113,33 @@ public class SecuredUpload { String imageServerUrl = EntityUtilProperties.getPropertyValue("catalog", "image.management.url", delegator); Path p = Paths.get(fileToCheck); -String file = p.getFileName().toString(); +String fileName = p.getFileName().toString(); // The file name is the farthest element from the root in the directory hierarchy. boolean wrongFile = true; + +if (deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) { +Debug.logError("This file extension is not allowed for security reason", MODULE); +deleteBadFile(fileToCheck); +return false; +} + if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { -if (fileToCheck.length() > 259) { +if (fileToCheck.length() < 259) { Debug.logError("Uploaded
[ofbiz-site] branch master updated: Fixes a typo (related to CLC)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git The following commit(s) were added to refs/heads/master by this push: new 0c4b056 Fixes a typo (related to CLC) 0c4b056 is described below commit 0c4b056bad154bdf229e92d25a78f8c8dba1c4e9 Author: Jacques Le Roux AuthorDate: Fri Sep 3 08:36:11 2021 +0200 Fixes a typo (related to CLC) --- release-notes-13.07.03.html | 2 +- release-notes-16.11.01.html | 2 +- template/page/release-notes-13.07.03.tpl.php | 2 +- template/page/release-notes-16.11.01.tpl.php | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/release-notes-13.07.03.html b/release-notes-13.07.03.html index a6885d5..9996a56 100644 --- a/release-notes-13.07.03.html +++ b/release-notes-13.07.03.html @@ -186,7 +186,7 @@ [[OFBIZ-6683]] - Type-ahead regarding workeffort in AddCommEventWorkEffort throws an error [[OFBIZ-6687]] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [[OFBIZ-6697]] - CommunicationServices.createAttachmentContent duplicates attachments for existing CommunicationEvents - [[OFBIZ-6706]] - The Widget-style of a menuItem in his link when the menu is selected + [[OFBIZ-6706]] - The Widget-style of a menuItem in its link when the menu is selected [[OFBIZ-6707] ] - WebtoolsUiLabels went missing [[OFBIZ-6708]] - Missing userLogin error on party profile screen when 1st content is non public [[OFBIZ-6725]] - Best Selling Products section in main order page takes into account cancelled orders diff --git a/release-notes-16.11.01.html b/release-notes-16.11.01.html index ee7dc44..89051f6 100644 --- a/release-notes-16.11.01.html +++ b/release-notes-16.11.01.html @@ -344,7 +344,7 @@ [OFBIZ-6687] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [OFBIZ-6698] - sendCommEventAsEmail does not filter CommEventContentAssoc [OFBIZ-6703] - Cannot create more than one lead in the SFA component by same user -[OFBIZ-6706] - The Widget-style of a menuItem in his link when the menu is selected +[OFBIZ-6706] - The Widget-style of a menuItem in its link when the menu is selected [OFBIZ-6707] - WebtoolsUiLabels went missing [OFBIZ-6708] - Missing userLogin error on party profile screen when 1st content is non public [OFBIZ-6725] - Best Selling Products section in main order page takes into account cancelled orders diff --git a/template/page/release-notes-13.07.03.tpl.php b/template/page/release-notes-13.07.03.tpl.php index 12542b9..c3ca6f0 100644 --- a/template/page/release-notes-13.07.03.tpl.php +++ b/template/page/release-notes-13.07.03.tpl.php @@ -75,7 +75,7 @@ [[OFBIZ-6683]] - Type-ahead regarding workeffort in AddCommEventWorkEffort throws an error [[OFBIZ-6687]] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [[OFBIZ-6697]] - CommunicationServices.createAttachmentContent duplicates attachments for existing CommunicationEvents - [[OFBIZ-6706]] - The Widget-style of a menuItem in his link when the menu is selected + [[OFBIZ-6706]] - The Widget-style of a menuItem in its link when the menu is selected [[OFBIZ-6707] ] - WebtoolsUiLabels went missing [[OFBIZ-6708]] - Missing userLogin error on party profile screen when 1st content is non public [[OFBIZ-6725]] - Best Selling Products section in main order page takes into account cancelled orders diff --git a/template/page/release-notes-16.11.01.tpl.php b/template/page/release-notes-16.11.01.tpl.php index 8dfaf48..4d2234d 100644 --- a/template/page/release-notes-16.11.01.tpl.php +++ b/template/page/release-notes-16.11.01.tpl.php @@ -233,7 +233,7 @@ [OFBIZ-6687] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [OFBIZ-6698] - sendCommEventAsEmail does not filter CommEventContentAssoc [OFBIZ-6703] - Cannot create more than one lead in the SFA component by same user -[OFBIZ-6706] - The Widget-style of a menuItem in his link when the menu is selected +[OFBIZ-6706] - The Widget-style of a menuItem in its link when the menu is selected [OFBIZ-6707] - WebtoolsUiLabels went missing [OFBIZ-6708] - Missing userLogin error on party profile screen when 1st content is non public [OFBIZ-6725] - Best Selling Products section in main order page takes into account cancelled orders