[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

Mon, 14 Dec 2020 07:53:28 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 16ffa21  Fixed: Secure the uploads (OFBIZ-12080)
16ffa21 is described below

commit 16ffa216d9a22a02a7e846a15a3a836a0212849d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Dec 14 16:46:05 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Follows OWASP advice on file names:
    
    All the control characters and Unicode ones should be removed from the 
filenames
    and their extensions without any exception. Also, the special characters 
such as
    “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on 
should be
    discarded as well.
    
    If it is applicable and there is no need to have Unicode characters, it is
    highly recommended to only accept Alpha-Numeric characters and only 1 dot 
as an
    input for the file name and the extension; in which the file name and also 
the
    extension should not be empty at all
    (regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).
    
    So if someone needs other chars in uploaded filenames a change will be 
needed
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a8321dc..273bdf5 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -107,10 +107,24 @@ public class SecuredUpload {
 
         if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
             if (fileToCheck.length() > 259) {
+                Debug.logError("Uploaded file name too long", MODULE);
+                return false;
+            } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
+                Debug.logError("Uploaded file "
+                        + " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
+                        + "in which the file name and also the extension 
should not be empty at all  ",
+                        MODULE);
                 return false;
             }
         } else {
             if (fileToCheck.length() > 4096) {
+                Debug.logError("Uploaded file name too long", MODULE);
+                return false;
+            } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+                Debug.logError("Uploaded file "
+                        + " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
+                        + "in which the file name and also the extension 
should not be empty at all  ",
+                        MODULE);
                 return false;
             }
         }

Reply via email to