This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push: new 54e544d Improved: Create a deny list to reject webshell tokens (OFBIZ-12324) 54e544d is described below commit 54e544d302f20728d1f8b27670ce5c63367372c5 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Feb 18 13:50:50 2022 +0100 Improved: Create a deny list to reject webshell tokens (OFBIZ-12324) Prevents CSV injection (MS Excel or Open Office) --- framework/security/config/security.properties | 2 +- .../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 7661561..fa96158 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -253,7 +253,7 @@ deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,tagl %eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\ chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,\ python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,\ - ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami + ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd| #-- Max line length for uploaded files, by default 10000 diff --git a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java index 2ffe1e6..7b212dd 100644 --- a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java +++ b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java @@ -63,7 +63,7 @@ public class SecurityUtilTest { // %eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\ // chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,\ // python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,\ - // ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami + // ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd| try { List<String> allowed = new ArrayList<>(); @@ -122,11 +122,15 @@ public class SecurityUtilTest { assertFalse(SecuredUpload.isValidText("route", allowed)); assertFalse(SecuredUpload.isValidText("crontab", allowed)); assertFalse(SecuredUpload.isValidText("netstat", allowed)); - assertFalse(SecuredUpload.isValidText("uname", allowed)); // found 1 image (on 33 600) with this token in + assertFalse(SecuredUpload.isValidText("uname", allowed)); // found 1 image (on 33 600, ~3GB) with this token in assertFalse(SecuredUpload.isValidText("hostname", allowed)); assertFalse(SecuredUpload.isValidText("iptables", allowed)); assertFalse(SecuredUpload.isValidText("whoami", allowed)); // ip, ls, nc, ip, cat and pwd can'tbe used, too short + assertFalse(SecuredUpload.isValidText("\"cmd\"", allowed)); + assertFalse(SecuredUpload.isValidText("*cmd|", allowed)); + assertFalse(SecuredUpload.isValidText("+cmd|", allowed)); + assertFalse(SecuredUpload.isValidText("=cmd|", allowed)); } catch (IOException e) { fail(String.format("IOException occured : %s", e.getMessage()));