This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit a28316b70d8a2642ef57c7a1b5223c694816442c Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Mon Sep 13 08:13:55 2021 +0200 Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304) The XXE vulnerability can read arbitrary files on the server. Thanks: thiscodecc for reporting this security issue (post-auth) --- .../java/org/apache/ofbiz/base/util/UtilValidate.java | 18 ++++++++++++++++-- .../org/apache/ofbiz/webtools/WebToolsServices.java | 5 +++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java index 14f55e7..d2d44fb 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java @@ -806,8 +806,9 @@ public final class UtilValidate { return true; } - /** isUrl returns true if the string contains :// - * @param s String to validate + /** + * isUrl returns true if the string contains :// + * @param s String to validate Note: this does not handle "component://" specific to OFBiz * @return true if s contains :// */ public static boolean isUrl(String s) { @@ -821,6 +822,18 @@ public final class UtilValidate { } /** + * URLInString returns true if the string contains :// and not "component://" + * @param s String to validate + * @return true if s contains :// and not "component://" + */ + public static boolean URLInString(String s) { + if (isEmpty(s) || s.contains("component://")) { + return false; + } + return s.indexOf("://") != -1; + } + + /** * isValidUrl returns true if the string is a valid URL (using Commons UrlValidator) * @param s String to validate * @return true if s contains if the string is a valid URL (using Commons UrlValidator) @@ -832,6 +845,7 @@ public final class UtilValidate { return UrlValidator.getInstance().isValid(s); } + /** isYear returns true if string s is a valid * Year number. Must be 2 or 4 digits only. * diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java index 68a2865..be32378 100644 --- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java +++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java @@ -143,6 +143,11 @@ public class WebToolsServices { // ############################# // FM Template // ############################# + if (UtilValidate.URLInString(fulltext)) { + Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE); + Debug.logInfo("Rather load your data from a file", MODULE); + return null; + } if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) { File fmFile = new File(fmfilename); if (!fmFile.exists()) {