This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release22.01 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push: new c82fb19 Fixed: Secure the uploads (OFBIZ-12080) c82fb19 is described below commit c82fb190a5da5f46b60cf08f45b038f1f9f05769 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Mon Feb 21 17:02:12 2022 +0100 Fixed: Secure the uploads (OFBIZ-12080) Trivial change in DataServices.java: uses the SecuredUpload import in 2 places it was missing. Adds some tokens in security.properties::deniedWebShellTokens Removes a duplicated htaccess in security.properties::deniedFileExtensions --- .../src/main/java/org/apache/ofbiz/content/data/DataServices.java | 4 ++-- framework/security/config/security.properties | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java index cec71ac..96a4b3f 100644 --- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java +++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java @@ -205,7 +205,7 @@ public class DataServices { File file = new File(fileNameAndPath); if (!originalFileName.isEmpty()) { // Check the file name - if (!org.apache.ofbiz.security.SecuredUpload.isValidFileName(originalFileName, delegator)) { + if (!SecuredUpload.isValidFileName(originalFileName, delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } @@ -213,7 +213,7 @@ public class DataServices { // We would just have a better error message if (file.exists()) { // Check if a webshell is not uploaded - if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileNameAndPath, "All", delegator)) { + if (!SecuredUpload.isValidFile(fileNameAndPath, "All", delegator)) { String errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); return ServiceUtil.returnError(errorMessage); } diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 576e69f..397c0c3 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -237,7 +237,7 @@ templateClassResolver= #-- List of denied files suffixes to be uploaded #-- OFBiz of course also check contents... deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,php6,php7,phps,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\ - vbs,js,reg,cgi,htaccess,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action + vbs,js,reg,cgi,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action #-- #-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions), #-- people may like to allow more than what is allowed OOTB @@ -249,11 +249,11 @@ allowAllUploads= #-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax. #-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows... #-- If you are sure you are safe for a token you can remove it, etc. -deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,\ +deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(\ %eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\ chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,\ - python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,\ - ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd| + python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget,\ + ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost #-- Max line length for uploaded files, by default 10000