[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14998606#comment-14998606 ] Jacques Le Roux edited comment on OFBIZ-6669 at 11/10/15 1:52 PM: -- The commit at revision: 1713634 in trunk completes and finalises this work Before closing, to safely backport in R14.12, I will need to backport the improvement from OFBIZ-6701 before. Else it will be insanely complicated. I will ask agreement on dev ML... was (Author: jacques.le.roux): The commit at revision: 1713634 in trunk completes and finalises this work Before closint, to safely backport in R14.12, I will need to backport the improvement from OFBIZ-6701 before. Else it will be insanely complicated. I will ask agreement on dev ML... > Possible static XSS issue with Content > -- > > Key: OFBIZ-6669 > URL: https://issues.apache.org/jira/browse/OFBIZ-6669 > Project: OFBiz > Issue Type: Bug > Components: content, order, party, product, workeffort >Affects Versions: Release Branch 12.04, Release Branch 13.07, Release > Branch 14.12, Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: 14.12.01, Upcoming Branch > > Attachments: OFBIZ-6669.patch, OFBIZ-6669.patch > > > I found a possible XSS attack through *ContentWrapper.java and ContentWorker > itself. > Note that in supported releases it's hard to exploit, it's a Stored XSS > https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you > need 1st to somehow inject exploiting code in the DB. > Issues in *ContentWrapper.java have already been fixed by changing the > ContentWrapper interface > from > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId); > } > {code} > to > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId, String > encoderType) { > } > {code} > And changing the Category, Party, Product, ProductPromo, ProductConfigItem > and WorkEffort ContentWrapperS accordingly. This means to use 2 types of > encoderTypes: "html" and "url". > The "html" encoderType will be used for all ProductContentTypes but those > who contain URL in their ContentTypeIdS (actually end with, "_URL") which > will use "url" encoderType. > It concerns not only the get() method but also methods like > getPartyContentAsText(), getProductContentAsText(), etc. > It seems a big change but it's straightforward. It's now complete after > following commits in revisions (I hope I did not miss to report): > trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 1708930 > and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 > 1706163 1707858 1708931 > I have also committed a fix for ContentWorker. For that I have added > owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property > in content.properties with some explanations. The reason I put this property > is because the sanitizer does some (safe) changes which might be unwanted in > a context where you are "sure" no one can inject/exploit your DB. > Here is for instance the changes the sanitizer does when rendering cmssite > {code} > @@ -19,7 +19,7 @@ > > - > + > This is the header! > > @@ -27,34 +27,26 @@ > >Welcome to the CmsSite Home page. > - > + > >This is a site to demonstrate the CMS capabilities of OFBiz. > Its basic function is the editing of website text >inside a browser. If you want to edit the text you are reading > now, logon to the backend system, select the content component > - click on 'cmssite' in the website list and ten click on the > 'cms' button. There you see on the left hand side the tree of this website. > - If you click on 'homepage' then you can edit the content of > this page at the box in the r > + click on cmssite in the website list and ten click > on the cms button. There you see on the left hand side the tree of > this website. > + If you click on homepage then you can edit the > content of this page at the box in the r > > >This is only the basic function of the CMS which is part of > the content component. The content component is actually more than a >CMS it can also handle documents pretty well. An example is > the apache OFBiz document you can see when you click on the last option in > the list below. > - > - > - > -Demo Page 1 - > Hard Coded Link > -Demo Page 1 > - Hard Coded
[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954165#comment-14954165 ] Jacques Le Roux edited comment on OFBIZ-6669 at 11/6/15 2:57 PM: - The ContentWorker is fixed in trunk r1708274 + r1708560 + r1712971 R14.12 r1708275 + r1708471 + r1712972 was (Author: jacques.le.roux): The ContentWorker is fixed in trunk r1708274 + r1708560 R14.12 r1708275 + r1708471 > Possible static XSS issue with Content > -- > > Key: OFBIZ-6669 > URL: https://issues.apache.org/jira/browse/OFBIZ-6669 > Project: OFBiz > Issue Type: Bug > Components: content, order, party, product, workeffort >Affects Versions: Release Branch 12.04, Release Branch 13.07, Release > Branch 14.12, Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: 14.12.01, Upcoming Branch > > > I found a possible XSS attack through *ContentWrapper.java and ContentWorker > itself. > Note that in supported releases it's hard to exploit, it's a Stored XSS > https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you > need 1st to somehow inject exploiting code in the DB. > Issues in *ContentWrapper.java have already been fixed by changing the > ContentWrapper interface > from > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId); > } > {code} > to > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId, String > encoderType) { > } > {code} > And changing the Category, Party, Product, ProductPromo, ProductConfigItem > and WorkEffort ContentWrapperS accordingly. This means to use 2 types of > encoderTypes: "html" and "url". > The "html" encoderType will be used for all ProductContentTypes but those > who contain URL in their ContentTypeIdS (actually end with, "_URL") which > will use "url" encoderType. > It concerns not only the get() method but also methods like > getPartyContentAsText(), getProductContentAsText(), etc. > It seems a big change but it's straightforward. It's now complete after > following commits in revisions (I hope I did not miss to report): > trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 1708930 > and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 > 1706163 1707858 1708931 > I have also committed a fix for ContentWorker. For that I have added > owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property > in content.properties with some explanations. The reason I put this property > is because the sanitizer does some (safe) changes which might be unwanted in > a context where you are "sure" no one can inject/exploit your DB. > Here is for instance the changes the sanitizer does when rendering cmssite > {code} > @@ -19,7 +19,7 @@ > > - > + > This is the header! > > @@ -27,34 +27,26 @@ > >Welcome to the CmsSite Home page. > - > + > >This is a site to demonstrate the CMS capabilities of OFBiz. > Its basic function is the editing of website text >inside a browser. If you want to edit the text you are reading > now, logon to the backend system, select the content component > - click on 'cmssite' in the website list and ten click on the > 'cms' button. There you see on the left hand side the tree of this website. > - If you click on 'homepage' then you can edit the content of > this page at the box in the r > + click on cmssite in the website list and ten click > on the cms button. There you see on the left hand side the tree of > this website. > + If you click on homepage then you can edit the > content of this page at the box in the r > > >This is only the basic function of the CMS which is part of > the content component. The content component is actually more than a >CMS it can also handle documents pretty well. An example is > the apache OFBiz document you can see when you click on the last option in > the list below. > - > - > - > -Demo Page 1 - > Hard Coded Link > -Demo Page 1 > - Hard Coded Link using the Sub-Content Pattern > - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page 1 - Dynamic Link > - href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page with screen widget and screen decorator > -
[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14993841#comment-14993841 ] Jacques Le Roux edited comment on OFBIZ-6669 at 11/6/15 3:50 PM: - I reopen here to allow users to choose to not encode contents in *ContentWrapper classes as they already can with ContentWorker class using content.sanitize property. Actually I will use another content.encode property and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() method and use it in *ContentWrapper classes. But the property should not in content application to not introduce a dependency from base, not sure where to put it apart in base itself (in a owasp.properties maybe) to avoid introducing a dependency in base wich is currently clean (deos not depend on another OFBiz component): {code} C:\projectASF-Mars\ofbiz\framework\base>"C:\Program Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar ofbiz-base.jar -> not found ofbiz-base.jar -> build\lib\ofbiz-base.jar ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar org.ofbiz.base.component (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.security -> java.util -> java.util.concurrent.atomic -> javax.xml.parsers -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.container ofbiz-base.jar -> org.ofbiz.base.locationofbiz-base.jar -> org.ofbiz.base.utilofbiz-base.jar -> org.ofbiz.base.util.string ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.concurrent (ofbiz-base.jar) -> java.lang -> java.util -> java.util.concurrent -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.config (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.util -> java.util.concurrent -> javax.xml.parsers -> org.ofbiz.base.utilofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.container (ofbiz-base.jar) -> bshnot found -> java.io -> java.lang -> java.net -> java.rmi -> java.rmi.registry -> java.rmi.server -> java.util -> java.util.concurrent.atomic -> javax.xml.parsers -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.start not found -> org.ofbiz.base.utilofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.conversion (ofbiz-base.jar) -> com.ibm.icu.util not found -> java.io -> java.lang -> java.lang.reflect -> java.math -> java.net -> java.nio -> java.nio.charset -> java.sql -> java.text -> java.util -> java.util.concurrent -> java.util.regex -> javax.sql.rowset.serial -> org.ofbiz.base.langofbiz-base.jar -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.crypto (ofbiz-base.jar) -> java.io -> java.lang -> java.nio.charset -> java.security -> java.security.spec -> java.util -> javax.crypto -> javax.crypto.spec -> org.apache.commons.codec.binarynot found -> org.apache.commons.langnot found -> org.apache.shiro.cryptonot found -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.lang (ofbiz-base.jar) -> com.fasterxml.jackson.databind not found -> java.io -> java.lang -> java.lang.annotation -> org.apache.commons.io not found -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.location (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.util -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.metrics (ofbiz-base.jar) -> java.lang -> java.util -> org.ofbiz.base.utilofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom
[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14993841#comment-14993841 ] Jacques Le Roux edited comment on OFBIZ-6669 at 11/6/15 3:51 PM: - I reopen here to allow users to choose to not encode contents in *ContentWrapper classes as they already can with ContentWorker class using content.sanitize property. Actually I will use another content.encode property and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() method and use it in *ContentWrapper classes. But the property should not in content application to not introduce a dependency from base, not sure where to put it apart in base itself (in a owasp.properties maybe) to avoid introducing a dependency in base wich is currently clean (does not depend on another OFBiz component): {code} C:\projectASF-Mars\ofbiz\framework\base>"C:\Program Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar ofbiz-base.jar -> not found ofbiz-base.jar -> build\lib\ofbiz-base.jar ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar org.ofbiz.base.component (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.security -> java.util -> java.util.concurrent.atomic -> javax.xml.parsers -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.container ofbiz-base.jar -> org.ofbiz.base.locationofbiz-base.jar -> org.ofbiz.base.utilofbiz-base.jar -> org.ofbiz.base.util.string ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.concurrent (ofbiz-base.jar) -> java.lang -> java.util -> java.util.concurrent -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.config (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.util -> java.util.concurrent -> javax.xml.parsers -> org.ofbiz.base.utilofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.container (ofbiz-base.jar) -> bshnot found -> java.io -> java.lang -> java.net -> java.rmi -> java.rmi.registry -> java.rmi.server -> java.util -> java.util.concurrent.atomic -> javax.xml.parsers -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.start not found -> org.ofbiz.base.utilofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.conversion (ofbiz-base.jar) -> com.ibm.icu.util not found -> java.io -> java.lang -> java.lang.reflect -> java.math -> java.net -> java.nio -> java.nio.charset -> java.sql -> java.text -> java.util -> java.util.concurrent -> java.util.regex -> javax.sql.rowset.serial -> org.ofbiz.base.langofbiz-base.jar -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.crypto (ofbiz-base.jar) -> java.io -> java.lang -> java.nio.charset -> java.security -> java.security.spec -> java.util -> javax.crypto -> javax.crypto.spec -> org.apache.commons.codec.binarynot found -> org.apache.commons.langnot found -> org.apache.shiro.cryptonot found -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.lang (ofbiz-base.jar) -> com.fasterxml.jackson.databind not found -> java.io -> java.lang -> java.lang.annotation -> org.apache.commons.io not found -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.location (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.util -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.utilofbiz-base.jar org.ofbiz.base.metrics (ofbiz-base.jar) -> java.lang -> java.util -> org.ofbiz.base.utilofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom
[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14960507#comment-14960507 ] Jacques Le Roux edited comment on OFBIZ-6669 at 10/16/15 10:56 AM: --- I wonder if we should not close here and create a new issue for the (maybe not easy) backporting task, opinions? On the other hand having all here seems easier... OK I create a subtask :D was (Author: jacques.le.roux): I wonder if we should not close here and create a new issue for the (maybe not easy) backporting task, opinions? On the other hand having all here seems easier... > Possible static XSS issue with Content > -- > > Key: OFBIZ-6669 > URL: https://issues.apache.org/jira/browse/OFBIZ-6669 > Project: OFBiz > Issue Type: Bug > Components: content, order, party, product, workeffort >Affects Versions: Release Branch 12.04, Release Branch 13.07, Release > Branch 14.12, Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: 14.12.01, Upcoming Branch > > > I found a possible XSS attack through *ContentWrapper.java and ContentWorker > itself. > Note that in supported releases it's hard to exploit, it's a Stored XSS > https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you > need 1st to somehow inject exploiting code in the DB. > Issues in *ContentWrapper.java have already been fixed by changing the > ContentWrapper interface > from > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId); > } > {code} > to > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId, String > encoderType) { > } > {code} > And changing the Category, Party, Product, ProductPromo, ProductConfigItem > and WorkEffort ContentWrapperS accordingly. This means to use 2 types of > encoderTypes: "html" and "url". > The "html" encoderType will be used for all ProductContentTypes but those > who contain URL in their ContentTypeIdS (actually end with, "_URL") which > will use "url" encoderType. > It concerns not only the get() method but also methods like > getPartyContentAsText(), getProductContentAsText(), etc. > It seems a big change but it's straightforward. It's now complete after > following commits in revisions (I hope I did not miss to report): > trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 1708930 > and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 > 1706163 1707858 1708931 > I have also committed a fix for ContentWorker. For that I have added > owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property > in content.properties with some explanations. The reason I put this property > is because the sanitizer does some (safe) changes which might be unwanted in > a context where you are "sure" no one can inject/exploit your DB. > Here is for instance the changes the sanitizer does when rendering cmssite > {code} > @@ -19,7 +19,7 @@ > > - > + > This is the header! > > @@ -27,34 +27,26 @@ > >Welcome to the CmsSite Home page. > - > + > >This is a site to demonstrate the CMS capabilities of OFBiz. > Its basic function is the editing of website text >inside a browser. If you want to edit the text you are reading > now, logon to the backend system, select the content component > - click on 'cmssite' in the website list and ten click on the > 'cms' button. There you see on the left hand side the tree of this website. > - If you click on 'homepage' then you can edit the content of > this page at the box in the r > + click on cmssite in the website list and ten click > on the cms button. There you see on the left hand side the tree of > this website. > + If you click on homepage then you can edit the > content of this page at the box in the r > > >This is only the basic function of the CMS which is part of > the content component. The content component is actually more than a >CMS it can also handle documents pretty well. An example is > the apache OFBiz document you can see when you click on the last option in > the list below. > - > - > - > -Demo Page 1 - > Hard Coded Link > -Demo Page 1 > - Hard Coded Link using the Sub-Content Pattern > - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page 1 - Dynamic Link > -
[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954165#comment-14954165 ] Jacques Le Roux edited comment on OFBIZ-6669 at 10/14/15 8:52 AM: -- The ContentWorker is fixed in trunk r1708274 + r1708560 R14.12 r1708275 + r1708471 was (Author: jacques.le.roux): The ContentWorker is fixed in trunk r1708274 R14.12 r1708275 + r1708471 > Possible static XSS issue with Content > -- > > Key: OFBIZ-6669 > URL: https://issues.apache.org/jira/browse/OFBIZ-6669 > Project: OFBiz > Issue Type: Bug > Components: content, order, party, product, workeffort >Affects Versions: Release Branch 12.04, Release Branch 13.07, Release > Branch 14.12, Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: 14.12.01, Upcoming Branch > > > I found a possible XSS attack through *ContentWrapper.java and ContentWorker > itself. > Note that in supported releases it's hard to exploit, it's a Stored XSS > https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you > need 1st to somehow inject exploiting code in the DB. > Issues in *ContentWrapper.java have already been fixed by changing the > ContentWrapper interface > from > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId); > } > {code} > to > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId, String > encoderType) { > } > {code} > And changing the Category, Party, Product, ProductPromo, ProductConfigItem > and WorkEffort ContentWrapperS accordingly. This means to use 2 types of > encoderTypes: "html" and "url". > The "html" encoderType will be used for all ProductContentTypes but those > who contain URL in their ContentTypeIdS (actually end with, "_URL") which > will use "url" encoderType. > It concerns not only the get() method but also methods like > getPartyContentAsText(), getProductContentAsText(), etc. > It seems a big change but it's straightforward. It's now complete after > following commits in revisions (I hope I did not miss to report): > trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 > and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 > 1706163 1707858 > I have also committed a fix for ContentWorker. For that I have added > owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property > in content.properties with some explanations. The reason I put this property > is because the sanitizer does some (safe) changes which might be unwanted in > a context where you are "sure" no one can inject/exploit your DB. > Here is for instance the changes the sanitizer does when rendering cmssite > {code} > @@ -19,7 +19,7 @@ > > - > + > This is the header! > > @@ -27,34 +27,26 @@ > >Welcome to the CmsSite Home page. > - > + > >This is a site to demonstrate the CMS capabilities of OFBiz. > Its basic function is the editing of website text >inside a browser. If you want to edit the text you are reading > now, logon to the backend system, select the content component > - click on 'cmssite' in the website list and ten click on the > 'cms' button. There you see on the left hand side the tree of this website. > - If you click on 'homepage' then you can edit the content of > this page at the box in the r > + click on cmssite in the website list and ten click > on the cms button. There you see on the left hand side the tree of > this website. > + If you click on homepage then you can edit the > content of this page at the box in the r > > >This is only the basic function of the CMS which is part of > the content component. The content component is actually more than a >CMS it can also handle documents pretty well. An example is > the apache OFBiz document you can see when you click on the last option in > the list below. > - > - > - > -Demo Page 1 - > Hard Coded Link > -Demo Page 1 > - Hard Coded Link using the Sub-Content Pattern > - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page 1 - Dynamic Link > - href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page with screen widget and screen decorator > -
[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954165#comment-14954165 ] Jacques Le Roux edited comment on OFBIZ-6669 at 10/13/15 5:29 PM: -- The ContentWorker is fixed in trunk r1708274 R14.12 r1708275 + r1708471 was (Author: jacques.le.roux): The ContentWorker is fixed in trunk r1708274 R14.12 r1708275 > Possible static XSS issue with Content > -- > > Key: OFBIZ-6669 > URL: https://issues.apache.org/jira/browse/OFBIZ-6669 > Project: OFBiz > Issue Type: Bug > Components: content, order, party, product, workeffort >Affects Versions: Release Branch 12.04, Release Branch 13.07, Release > Branch 14.12, Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: 14.12.01, Upcoming Branch > > > I found a possible XSS attack through *ContentWrapper.java and ContentWorker > itself. > Note that in supported releases it's hard to exploit, it's a Stored XSS > https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you > need 1st to somehow inject exploiting code in the DB. > Issues in *ContentWrapper.java have already been fixed by changing the > ContentWrapper interface > from > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId); > } > {code} > to > {code} > public interface ContentWrapper { > public StringUtil.StringWrapper get(String contentTypeId, String > encoderType) { > } > {code} > And changing the Category, Party, Product, ProductPromo, ProductConfigItem > and WorkEffort ContentWrapperS accordingly. This means to use 2 types of > encoderTypes: "html" and "url". > The "html" encoderType will be used for all ProductContentTypes but those > who contain URL in their ContentTypeIdS (actually end with, "_URL") which > will use "url" encoderType. > It concerns not only the get() method but also methods like > getPartyContentAsText(), getProductContentAsText(), etc. > It seems a big change but it's straightforward. It's now complete after > following commits in revisions (I hope I did not miss to report): > trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 > and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 > 1706163 1707858 > I have also committed a fix for ContentWorker. For that I have added > owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property > in content.properties with some explanations. The reason I put this property > is because the sanitizer does some (safe) changes which might be unwanted in > a context where you are "sure" no one can inject/exploit your DB. > Here is for instance the changes the sanitizer does when rendering cmssite > {code} > @@ -19,7 +19,7 @@ > > - > + > This is the header! > > @@ -27,34 +27,26 @@ > >Welcome to the CmsSite Home page. > - > + > >This is a site to demonstrate the CMS capabilities of OFBiz. > Its basic function is the editing of website text >inside a browser. If you want to edit the text you are reading > now, logon to the backend system, select the content component > - click on 'cmssite' in the website list and ten click on the > 'cms' button. There you see on the left hand side the tree of this website. > - If you click on 'homepage' then you can edit the content of > this page at the box in the r > + click on cmssite in the website list and ten click > on the cms button. There you see on the left hand side the tree of > this website. > + If you click on homepage then you can edit the > content of this page at the box in the r > > >This is only the basic function of the CMS which is part of > the content component. The content component is actually more than a >CMS it can also handle documents pretty well. An example is > the apache OFBiz document you can see when you click on the last option in > the list below. > - > - > - > -Demo Page 1 - > Hard Coded Link > -Demo Page 1 > - Hard Coded Link using the Sub-Content Pattern > - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page 1 - Dynamic Link > - href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page with screen widget and screen decorator > - href="/cmssite/cms/CMSS_DEMO_BLOG;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo > Page with blog