This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release22.01 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push: new f2894c65d7 Improved: Secure the uploads (OFBIZ-12080) f2894c65d7 is described below commit f2894c65d732905097007158ff49fc5ae279849e Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Mon Apr 25 10:56:09 2022 +0200 Improved: Secure the uploads (OFBIZ-12080) I did not have these ones, found there https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md and there https://github.com/tennc/webshell --- framework/security/config/security.properties | 4 ++-- .../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 2c60cdcda3..03dbc8ee6b 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -256,11 +256,11 @@ allowAllUploads= #-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows... #-- #-- If you are sure you are safe for a token you can remove it, etc. -deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\ +deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\ %eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\ chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\ python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\ - ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost + ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate #-- Max line length for uploaded files, by default 10000 maxLineLength= diff --git a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java index 3eac13c9c6..75730a3fcc 100644 --- a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java +++ b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java @@ -59,11 +59,11 @@ public class SecurityUtilTest { @Test public void webShellTokensTesting() { // Currently used - // java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\ + // java.,beans,freemarker,<script,javascript,<body,body <form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\ // %eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\ // chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build\ // python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\ - // ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost + // ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate try { List<String> allowed = new ArrayList<>(); @@ -78,6 +78,7 @@ public class SecurityUtilTest { assertFalse(SecuredUpload.isValidText("<script", allowed)); assertFalse(SecuredUpload.isValidText("javascript", allowed)); assertFalse(SecuredUpload.isValidText("<body", allowed)); + assertFalse(SecuredUpload.isValidText("body ", allowed)); assertFalse(SecuredUpload.isValidText("<form", allowed)); assertFalse(SecuredUpload.isValidText("<jsp:", allowed)); assertFalse(SecuredUpload.isValidText("<c:out", allowed)); @@ -142,6 +143,9 @@ public class SecurityUtilTest { assertFalse(SecuredUpload.isValidText("+cmd|", allowed)); assertFalse(SecuredUpload.isValidText("=cmd|", allowed)); assertFalse(SecuredUpload.isValidText("localhost", allowed)); + assertFalse(SecuredUpload.isValidText("thread", allowed)); + assertFalse(SecuredUpload.isValidText("require", allowed)); + assertFalse(SecuredUpload.isValidText("gzdeflate", allowed)); } catch (IOException e) { fail(String.format("IOException occured : %s", e.getMessage()));