buildbot success in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a restored build on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2197 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] a83faaf15af5054d6a8997b8b6810aa4da49b504 Blamelist: Nicolas Malin Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Fixed: Rendering widget screen from ftl with the current context : java doc generation error (OFBIZ-12310)
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new a83faaf Fixed: Rendering widget screen from ftl with the current
context : java doc generation error (OFBIZ-12310)
a83faaf is described below
commit a83faaf15af5054d6a8997b8b6810aa4da49b504
Author: Nicolas Malin
AuthorDate: Fri Sep 3 20:59:52 2021 +0200
Fixed: Rendering widget screen from ftl with the current context : java doc
generation error (OFBIZ-12310)
Correction previous commit with invalid character on the javadoc.
---
.../main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
index 977d593..6ec47c8 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
@@ -47,16 +47,16 @@ import org.xml.sax.SAXException;
* OfbizScreenTransform - Freemarker Transform to display a screen by is
location and name
*
* You can call a Ofbiz screen with the ftl context with simple macro
- *
<@ofbizScreen>component://mycomponent/widget/MyComponentScreens.xml#MyScreen
+ *
ofbizScreencomponent://mycomponent/widget/MyComponentScreens.xml#MyScreen/ofbizScreen
*
* You can also write
- *<@ofbizScreen
location="component://mycomponent/widget/MyComponentScreens.xml"
name="MyScreen"/>
+ *ofbizScreen
location="component://mycomponent/widget/MyComponentScreens.xml"
name="MyScreen"/
*
* Or set a default location on your context
*action :
*context.defaultTemplateLocation =
"component://mycomponent/widget/MyComponentScreens.xml"
*widget :
- *<@ofbizScreen>MyScreen
+ *ofbizScreenMyScreen/ofbizScreen
*
*/
public class OfbizScreenTransform implements TemplateTransformModel {
buildbot exception in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a build exception on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2196 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 26a9dc73366a3f37a716d7d7e54b378a3ac2fc4d Blamelist: Nicolas Malin BUILD FAILED: exception javadoc upload test-results part 1 Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Implemented: Rendering widget screen from ftl with the current context (OFBIZ-12310)
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 26a9dc7 Implemented: Rendering widget screen from ftl with the
current context (OFBIZ-12310)
26a9dc7 is described below
commit 26a9dc73366a3f37a716d7d7e54b378a3ac2fc4d
Author: Nicolas Malin
AuthorDate: Fri Sep 3 18:29:48 2021 +0200
Implemented: Rendering widget screen from ftl with the current context
(OFBIZ-12310)
Currently, when you would be rendering a widget screen from a ftl template,
you can use a element screen present on context to call the renderer :
${screens.render("component://common/widget/CommonScreens.xml#countries")}
This rendering is realized with the context present when the object screen
has been initialized.
To simplify the screen call from freemarker template, I implemented a new
macro ofbizScreen
You can call a Ofbiz screen with the ftl context with simple macro
<@ofbizScreen>component://mycomponent/widget/MyComponentScreens.xml#MyScreen
You can also write
<@ofbizScreen
location="component://mycomponent/widget/MyComponentScreens.xml"
name="MyScreen"/>
Or set a default location on your context
action :
context.defaultTemplateLocation =
"component://mycomponent/widget/MyComponentScreens.xml"
widget :
<@ofbizScreen>MyScreen
When the screen would be call, the context to rendering the screen would be
use the current context:
<#list contactMechs as contactMech>
<#assign contactMechId = contactMech.contachMechId/>
<@ofbizScreen>component://mycomponent/widget/MyComponentScreens.xml#DisplayContactMech
---
.../party/template/party/EditContactMech.ftl | 4 +-
.../ofbiz/webapp/ftl/OfbizScreenTransform.java | 149 +
.../ofbiz/webapp/freemarkerTransforms.properties | 1 +
3 files changed, 152 insertions(+), 2 deletions(-)
diff --git a/applications/party/template/party/EditContactMech.ftl
b/applications/party/template/party/EditContactMech.ftl
index 53a4fcd..f418ab3 100644
--- a/applications/party/template/party/EditContactMech.ftl
+++ b/applications/party/template/party/EditContactMech.ftl
@@ -165,14 +165,14 @@ under the License.
-
${screens.render("component://common/widget/CommonScreens.xml#countries")}
<#if (mechMap.postalAddress??) &&
(mechMap.postalAddress.countryGeoId??)>
<#assign defaultCountryGeoId = mechMap.postalAddress.countryGeoId>
<#else>
<#assign defaultCountryGeoId =
Static["org.apache.ofbiz.entity.util.EntityUtilProperties"].getPropertyValue("general",
"country.geo.id.default", delegator)>
+ <@ofbizScreen>countries
-<#assign countryGeo =
delegator.findOne("Geo",Static["org.apache.ofbiz.base.util.UtilMisc"].toMap("geoId",defaultCountryGeoId),
false)>
+<#assign countryGeo = delegator.findOne("Geo", {"geoId":
defaultCountryGeoId}, false)>
${countryGeo.get("geoName",locale)}
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
new file mode 100644
index 000..977d593
--- /dev/null
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/OfbizScreenTransform.java
@@ -0,0 +1,149 @@
+/***
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+
***/
+package org.apache.ofbiz.webapp.ftl;
+
+import freemarker.core.Environment;
+import freemarker.ext.beans.BeanModel;
+import freemarker.template.TemplateException;
+import freemarker.template.TemplateModelException;
+import freemarker.template.TemplateTransformModel;
+import freemarker.template.TemplateScalarModel;
+import
[ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 1b907b0 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
1b907b0 is described below
commit 1b907b06e86ee1b6fb73f45e9cc0cbf4b384193c
Author: Jacques Le Roux
AuthorDate: Fri Sep 3 16:46:36 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
Safer completing solution as recommended by weinull orz
Previous commit was OK, but better be safe than sorry ;)
Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time
Thanks: weinull orz for the the right suggestion (done 2021-08-13)
---
.../org/apache/ofbiz/content/data/DataServices.java | 14 +++---
.../ofbiz/product/imagemanagement/FrameImage.java| 6 +++---
.../imagemanagement/ImageManagementServices.java | 20 +---
.../ofbiz/product/product/ProductServices.java | 13 ++---
.../org/apache/ofbiz/security/SecuredUpload.java | 4 ++--
5 files changed, 27 insertions(+), 30 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 2b30528..b6b17df 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -259,14 +259,14 @@ public class DataServices {
}
} else if (binData != null) {
try {
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.write(binData.array());
-out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+RandomAccessFile out = new RandomAccessFile(file, "rw");
+out.write(binData.array());
+out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, module);
@@ -459,15 +459,15 @@ public class DataServices {
}
} else if (binData != null) {
try {
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.setLength(binData.array().length);
-out.write(binData.array());
-out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+RandomAccessFile out = new RandomAccessFile(file, "rw");
+out.setLength(binData.array().length);
+out.write(binData.array());
+out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resource,
"ContentUnableToOpenFileForWriting", UtilMisc.toMap("fileName",
file.getAbsolutePath()), locale));
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index b84717b..e942586 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -292,14 +292,14 @@ public class FrameImage {
request.setAttribute("_ERROR_MESSAGE_", "There is an existing
frame, please select from the existing frame.");
return "error";
}
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.write(imageData.array());
-out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
request.setAttribute("_ERROR_MESSAGE_",
buildbot success in on ofbizTrunkFramework
The Buildbot has detected a restored build on builder ofbizTrunkFramework while building . Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2293 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after BuildBot error Build Source Stamp: HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 4088e0a Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
4088e0a is described below
commit 4088e0a28e5185294337a12b65b80353e49f62e0
Author: Jacques Le Roux
AuthorDate: Fri Sep 3 16:46:36 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
Safer completing solution as recommended by weinull orz
Previous commit was OK, but better be safe than sorry ;)
Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time
Thanks: weinull orz for the the right suggestion (done 2021-08-13)
---
.../org/apache/ofbiz/content/data/DataServices.java | 14 +++---
.../ofbiz/product/imagemanagement/FrameImage.java| 6 +++---
.../imagemanagement/ImageManagementServices.java | 20 +---
.../ofbiz/product/product/ProductServices.java | 13 ++---
.../org/apache/ofbiz/security/SecuredUpload.java | 4 ++--
5 files changed, 27 insertions(+), 30 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 14e4113..4b644f4 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -258,14 +258,14 @@ public class DataServices {
}
} else if (binData != null) {
try {
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.write(binData.array());
-out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+RandomAccessFile out = new RandomAccessFile(file, "rw");
+out.write(binData.array());
+out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, module);
@@ -458,15 +458,15 @@ public class DataServices {
}
} else if (binData != null) {
try {
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.setLength(binData.array().length);
-out.write(binData.array());
-out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+RandomAccessFile out = new RandomAccessFile(file, "rw");
+out.setLength(binData.array().length);
+out.write(binData.array());
+out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resource,
"ContentUnableToOpenFileForWriting", UtilMisc.toMap("fileName",
file.getAbsolutePath()), locale));
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index 217b855..459a042 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -307,14 +307,14 @@ public class FrameImage {
request.setAttribute("_ERROR_MESSAGE_", "There is an existing
frame, please select from the existing frame.");
return "error";
}
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.write(imageData.array());
-out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
request.setAttribute("_ERROR_MESSAGE_",
[ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 9ea7c6d Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
9ea7c6d is described below
commit 9ea7c6d52456e8a0b721d4c23a13e5c843f07658
Author: Jacques Le Roux
AuthorDate: Fri Sep 3 16:46:36 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
Safer completing solution as recommended by weinull orz
Previous commit was OK, but better be safe than sorry ;)
Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time
Thanks: weinull orz for the the right suggestion (done 2021-08-13)
---
.../org/apache/ofbiz/content/data/DataServices.java | 14 +++---
.../ofbiz/product/imagemanagement/FrameImage.java| 6 +++---
.../imagemanagement/ImageManagementServices.java | 20 +---
.../ofbiz/product/product/ProductServices.java | 13 ++---
.../org/apache/ofbiz/security/SecuredUpload.java | 4 ++--
5 files changed, 27 insertions(+), 30 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index f63c1b3..8589096 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -262,14 +262,14 @@ public class DataServices {
}
} else if (binData != null) {
try {
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.write(binData.array());
-out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+RandomAccessFile out = new RandomAccessFile(file, "rw");
+out.write(binData.array());
+out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, MODULE);
@@ -465,15 +465,15 @@ public class DataServices {
}
} else if (binData != null) {
try {
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.setLength(binData.array().length);
-out.write(binData.array());
-out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+RandomAccessFile out = new RandomAccessFile(file, "rw");
+out.setLength(binData.array().length);
+out.write(binData.array());
+out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE,
"ContentUnableToOpenFileForWriting",
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index 3a9beed..6d9a86b 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -315,14 +315,14 @@ public class FrameImage {
request.setAttribute("_ERROR_MESSAGE_", "There is an existing
frame, please select from the existing frame.");
return "error";
}
-RandomAccessFile out = new RandomAccessFile(file, "rw");
-out.write(imageData.array());
-out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
request.setAttribute("_ERROR_MESSAGE_", errorMessage);
return "error";
}
+
buildbot failure in on ofbizTrunkFramework
The Buildbot has detected a new failure on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2292 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] 3bfb03eaad921dbe26907b7e7742f432d2f9577f Blamelist: Jacques Le Roux BUILD FAILED: failed testIntegration Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 3bfb03e Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
3bfb03e is described below
commit 3bfb03eaad921dbe26907b7e7742f432d2f9577f
Author: Jacques Le Roux
AuthorDate: Fri Sep 3 13:47:15 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
The fix I did is two folds:
filters extensions (thanks to Zhujie's suggestion of a list of extensions
to ban)
deletes bad files at the right place (thanks to thiscodecc's report)
Thanks: thiscodecc for the security report
---
framework/security/config/security.properties | 6 ++-
.../org/apache/ofbiz/security/SecuredUpload.java | 55 +-
2 files changed, 47 insertions(+), 14 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 00d1e6f..edc5d4c 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -201,7 +201,7 @@ csrf.defense.strategy=
templateClassResolver=
-#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio
and Video and ZIP
+#-- = UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF,
Audio and Video and ZIP
#--
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
#-- They can be handled by custom projects using
https://github.com/righettod/document-upload-protection:
@@ -224,6 +224,10 @@ templateClassResolver=
#-- For text files, the philosophy is we can't presume of all possible text
contents used for attacks with payloads
#-- At least there is an easy way to prevent them in
SecuredUpload::isValidTextFile
#--
+#-- List of denied files suffixes to be uploaded
+#-- OFBiz of course also check contents...
+deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm,cfc,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1
+#--
#-- The upload vulnerability is only a post-auth (needs a credential with
suitable permissions),
#-- people may like to allow more than what is allowed OOTB
#-- As it name says, allowAllUploads opens all possibilities
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 2c7913c..812aa71 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -38,6 +38,7 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.UUID;
@@ -60,8 +61,12 @@ import
org.apache.commons.imaging.formats.jpeg.JpegImageParser;
import org.apache.commons.imaging.formats.png.PngImageParser;
import org.apache.commons.imaging.formats.tiff.TiffImageParser;
import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.FilenameUtils;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.FileUtil;
+import org.apache.ofbiz.base.util.StringUtil;
+import org.apache.ofbiz.base.util.UtilProperties;
+import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.pdfbox.pdmodel.PDDocument;
@@ -91,6 +96,7 @@ public class SecuredUpload {
// Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF,
JPEG, PDF, Audio and Video and ZIP
private static final String MODULE = SecuredUpload.class.getName();
+private static final List deniedFileExtensions =
deniedFileExtensions();
/**
* @param fileToCheck
@@ -107,28 +113,33 @@ public class SecuredUpload {
String imageServerUrl =
EntityUtilProperties.getPropertyValue("catalog", "image.management.url",
delegator);
Path p = Paths.get(fileToCheck);
-String file = p.getFileName().toString();
+String fileName = p.getFileName().toString(); // The file name is the
farthest element from the root in the directory hierarchy.
boolean wrongFile = true;
+
+if
(deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) {
+Debug.logError("This file extension is not allowed for security
reason", MODULE);
+deleteBadFile(fileToCheck);
+return false;
+}
+
if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
-if (fileToCheck.length() > 259) {
+if (fileToCheck.length() < 259) {
Debug.logError("Uploaded file name too
[ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new d0b4f2d Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
d0b4f2d is described below
commit d0b4f2d164382c631ad69ce50678e0087dc2c287
Author: Jacques Le Roux
AuthorDate: Fri Sep 3 13:47:15 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
The fix I did is two folds:
filters extensions (thanks to Zhujie's suggestion of a list of extensions
to ban)
deletes bad files at the right place (thanks to thiscodecc's report)
Thanks: thiscodecc for the security report
---
framework/security/config/security.properties | 6 ++-
.../org/apache/ofbiz/security/SecuredUpload.java | 55 +-
2 files changed, 47 insertions(+), 14 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 6bbdda1..bd45b9f 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -168,7 +168,7 @@ SameSiteCookieAttribute=
templateClassResolver=
-#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio
and Video and ZIP
+#-- = UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF,
Audio and Video and ZIP
#--
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
#-- They can be handled by custom projects using
https://github.com/righettod/document-upload-protection:
@@ -191,6 +191,10 @@ templateClassResolver=
#-- For text files, the philosophy is we can't presume of all possible text
contents used for attacks with payloads
#-- At least there is an easy way to prevent them in
SecuredUpload::isValidTextFile
#--
+#-- List of denied files suffixes to be uploaded
+#-- OFBiz of course also check contents...
+deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm,cfc,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1
+#--
#-- The upload vulnerability is only a post-auth (needs a credential with
suitable permissions),
#-- people may like to allow more than what is allowed OOTB
#-- As it name says, allowAllUploads opens all possibilities
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 3dfdcc8..59ef0fe 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -38,6 +38,7 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.UUID;
@@ -60,8 +61,12 @@ import
org.apache.commons.imaging.formats.jpeg.JpegImageParser;
import org.apache.commons.imaging.formats.png.PngImageParser;
import org.apache.commons.imaging.formats.tiff.TiffImageParser;
import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.FilenameUtils;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.FileUtil;
+import org.apache.ofbiz.base.util.StringUtil;
+import org.apache.ofbiz.base.util.UtilProperties;
+import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.pdfbox.pdmodel.PDDocument;
@@ -91,6 +96,7 @@ public class SecuredUpload {
// Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF,
JPEG, PDF, Audio and Video and ZIP
private static final String MODULE = SecuredUpload.class.getName();
+private static final List deniedFileExtensions =
deniedFileExtensions();
/**
* @param fileToCheck
@@ -107,28 +113,33 @@ public class SecuredUpload {
String imageServerUrl =
EntityUtilProperties.getPropertyValue("catalog", "image.management.url",
delegator);
Path p = Paths.get(fileToCheck);
-String file = p.getFileName().toString();
+String fileName = p.getFileName().toString(); // The file name is the
farthest element from the root in the directory hierarchy.
boolean wrongFile = true;
+
+if
(deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) {
+Debug.logError("This file extension is not allowed for security
reason", MODULE);
+deleteBadFile(fileToCheck);
+return false;
+}
+
if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
-if (fileToCheck.length() > 259) {
+if (fileToCheck.length() < 259) {
Debug.logError("Uploaded
[ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new dfd71bf Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
dfd71bf is described below
commit dfd71bf7dd552a7cdc287bcb6e2da30cee4cd093
Author: Jacques Le Roux
AuthorDate: Fri Sep 3 13:47:15 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
The fix I did is two folds:
filters extensions (thanks to Zhujie's suggestion of a list of extensions
to ban)
deletes bad files at the right place (thanks to thiscodecc's report)
Thanks: thiscodecc for the security report
---
framework/security/config/security.properties | 6 ++-
.../org/apache/ofbiz/security/SecuredUpload.java | 55 +-
2 files changed, 47 insertions(+), 14 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index c19ccc6..c0ff597 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -151,7 +151,7 @@ SameSiteCookieAttribute=
templateClassResolver=
-#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio
and Video and ZIP
+#-- = UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF,
Audio and Video and ZIP
#--
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
#-- They can be handled by custom projects using
https://github.com/righettod/document-upload-protection:
@@ -174,6 +174,10 @@ templateClassResolver=
#-- For text files, the philosophy is we can't presume of all possible text
contents used for attacks with payloads
#-- At least there is an easy way to prevent them in
SecuredUpload::isValidTextFile
#--
+#-- List of denied files suffixes to be uploaded
+#-- OFBiz of course also check contents...
+deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm,cfc,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1
+#--
#-- The upload vulnerability is only a post-auth (needs a credential with
suitable permissions),
#-- people may like to allow more than what is allowed OOTB
#-- As it name says, allowAllUploads opens all possibilities
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 3dfdcc8..59ef0fe 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -38,6 +38,7 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.UUID;
@@ -60,8 +61,12 @@ import
org.apache.commons.imaging.formats.jpeg.JpegImageParser;
import org.apache.commons.imaging.formats.png.PngImageParser;
import org.apache.commons.imaging.formats.tiff.TiffImageParser;
import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.FilenameUtils;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.FileUtil;
+import org.apache.ofbiz.base.util.StringUtil;
+import org.apache.ofbiz.base.util.UtilProperties;
+import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.pdfbox.pdmodel.PDDocument;
@@ -91,6 +96,7 @@ public class SecuredUpload {
// Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF,
JPEG, PDF, Audio and Video and ZIP
private static final String MODULE = SecuredUpload.class.getName();
+private static final List deniedFileExtensions =
deniedFileExtensions();
/**
* @param fileToCheck
@@ -107,28 +113,33 @@ public class SecuredUpload {
String imageServerUrl =
EntityUtilProperties.getPropertyValue("catalog", "image.management.url",
delegator);
Path p = Paths.get(fileToCheck);
-String file = p.getFileName().toString();
+String fileName = p.getFileName().toString(); // The file name is the
farthest element from the root in the directory hierarchy.
boolean wrongFile = true;
+
+if
(deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) {
+Debug.logError("This file extension is not allowed for security
reason", MODULE);
+deleteBadFile(fileToCheck);
+return false;
+}
+
if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
-if (fileToCheck.length() > 259) {
+if (fileToCheck.length() < 259) {
Debug.logError("Uploaded
[ofbiz-site] branch master updated: Fixes a typo (related to CLC)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git The following commit(s) were added to refs/heads/master by this push: new 0c4b056 Fixes a typo (related to CLC) 0c4b056 is described below commit 0c4b056bad154bdf229e92d25a78f8c8dba1c4e9 Author: Jacques Le Roux AuthorDate: Fri Sep 3 08:36:11 2021 +0200 Fixes a typo (related to CLC) --- release-notes-13.07.03.html | 2 +- release-notes-16.11.01.html | 2 +- template/page/release-notes-13.07.03.tpl.php | 2 +- template/page/release-notes-16.11.01.tpl.php | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/release-notes-13.07.03.html b/release-notes-13.07.03.html index a6885d5..9996a56 100644 --- a/release-notes-13.07.03.html +++ b/release-notes-13.07.03.html @@ -186,7 +186,7 @@ [[OFBIZ-6683]] - Type-ahead regarding workeffort in AddCommEventWorkEffort throws an error [[OFBIZ-6687]] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [[OFBIZ-6697]] - CommunicationServices.createAttachmentContent duplicates attachments for existing CommunicationEvents - [[OFBIZ-6706]] - The Widget-style of a menuItem in his link when the menu is selected + [[OFBIZ-6706]] - The Widget-style of a menuItem in its link when the menu is selected [[OFBIZ-6707] ] - WebtoolsUiLabels went missing [[OFBIZ-6708]] - Missing userLogin error on party profile screen when 1st content is non public [[OFBIZ-6725]] - Best Selling Products section in main order page takes into account cancelled orders diff --git a/release-notes-16.11.01.html b/release-notes-16.11.01.html index ee7dc44..89051f6 100644 --- a/release-notes-16.11.01.html +++ b/release-notes-16.11.01.html @@ -344,7 +344,7 @@ [OFBIZ-6687] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [OFBIZ-6698] - sendCommEventAsEmail does not filter CommEventContentAssoc [OFBIZ-6703] - Cannot create more than one lead in the SFA component by same user -[OFBIZ-6706] - The Widget-style of a menuItem in his link when the menu is selected +[OFBIZ-6706] - The Widget-style of a menuItem in its link when the menu is selected [OFBIZ-6707] - WebtoolsUiLabels went missing [OFBIZ-6708] - Missing userLogin error on party profile screen when 1st content is non public [OFBIZ-6725] - Best Selling Products section in main order page takes into account cancelled orders diff --git a/template/page/release-notes-13.07.03.tpl.php b/template/page/release-notes-13.07.03.tpl.php index 12542b9..c3ca6f0 100644 --- a/template/page/release-notes-13.07.03.tpl.php +++ b/template/page/release-notes-13.07.03.tpl.php @@ -75,7 +75,7 @@ [[OFBIZ-6683]] - Type-ahead regarding workeffort in AddCommEventWorkEffort throws an error [[OFBIZ-6687]] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [[OFBIZ-6697]] - CommunicationServices.createAttachmentContent duplicates attachments for existing CommunicationEvents - [[OFBIZ-6706]] - The Widget-style of a menuItem in his link when the menu is selected + [[OFBIZ-6706]] - The Widget-style of a menuItem in its link when the menu is selected [[OFBIZ-6707] ] - WebtoolsUiLabels went missing [[OFBIZ-6708]] - Missing userLogin error on party profile screen when 1st content is non public [[OFBIZ-6725]] - Best Selling Products section in main order page takes into account cancelled orders diff --git a/template/page/release-notes-16.11.01.tpl.php b/template/page/release-notes-16.11.01.tpl.php index 8dfaf48..4d2234d 100644 --- a/template/page/release-notes-16.11.01.tpl.php +++ b/template/page/release-notes-16.11.01.tpl.php @@ -233,7 +233,7 @@ [OFBIZ-6687] - org.ofbiz.entity.GenericModelException: Could not find definition for entity name FixedAssetMaintWorkEffort [OFBIZ-6698] - sendCommEventAsEmail does not filter CommEventContentAssoc [OFBIZ-6703] - Cannot create more than one lead in the SFA component by same user -[OFBIZ-6706] - The Widget-style of a menuItem in his link when the menu is selected +[OFBIZ-6706] - The Widget-style of a menuItem in its link when the menu is selected [OFBIZ-6707] - WebtoolsUiLabels went missing [OFBIZ-6708] - Missing userLogin error on party profile screen when 1st content is non public [OFBIZ-6725] - Best Selling Products section in main order page takes into account cancelled orders
