buildbot success in on ofbizTrunkFrameworkPlugins

2020-12-14 Thread buildbot 
The Buildbot has detected a restored build on builder 
ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are 
available at:
https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1917

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf946_ubuntu

Build Reason: downstream
Build Source Stamp: [branch trunk] c4650ff9bc9681d793f5cc9886618f1b042d9d58
Blamelist: Jacques Le Roux 

Build succeeded!

Sincerely,
 -The Buildbot

buildbot exception in on ofbizBranch18Framework

2020-12-14 Thread buildbot 
The Buildbot has detected a build exception on builder ofbizBranch18Framework 
while building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizBranch18Framework/builds/424

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 
'onBranch18FrameworkCommit' triggered this build
Build Source Stamp: [branch release18.12] 
e3c274128b9e447dc34f7114c91ad2098a683422
Blamelist: Jacques Le Roux 

BUILD FAILED: exception upload

Sincerely,
 -The Buildbot

[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
 new e3c2741  Fixed: Secure the uploads (OFBIZ-12080)
e3c2741 is described below

commit e3c274128b9e447dc34f7114c91ad2098a683422
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 19:00:37 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

According to https://s.apache.org/rpzog, adds few, maybe redundant, Java
API/methods found in webshell, or alike, source code
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 273bdf5..d9c0952 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -111,8 +111,8 @@ public class SecuredUpload {
 return false;
 } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
 Debug.logError("Uploaded file "
-+ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-+ "in which the file name and also the extension 
should not be empty at all  ",
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
++ "The file name and the extension should not be empty 
at all",
 MODULE);
 return false;
 }
@@ -122,8 +122,8 @@ public class SecuredUpload {
 return false;
 } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
 Debug.logError("Uploaded file "
-+ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-+ "in which the file name and also the extension 
should not be empty at all  ",
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
++ "Tthe file name and the extension should not be 
empty at all",
 MODULE);
 return false;
 }
@@ -619,6 +619,12 @@ public class SecuredUpload {
 || content.toLowerCase().contains("mkdir")
 || content.toLowerCase().contains("fopen")
 || content.toLowerCase().contains("fclose")
+|| content.toLowerCase().contains("new file")
+|| content.toLowerCase().contains("import")
+|| content.toLowerCase().contains("upload")
+|| content.toLowerCase().contains("getFileName")
+|| content.toLowerCase().contains("Download")
+|| content.toLowerCase().contains("getOutputString")
 || content.toLowerCase().contains("readfile"));
 // TODO to be continued with known webshell contents... a complete 
allow list is impossible anyway...
 // eg: 
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/

[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
 new 363e0be  Fixed: Secure the uploads (OFBIZ-12080)
363e0be is described below

commit 363e0be7708cd30c4c3c994716352a6e57305973
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 19:00:37 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

According to https://s.apache.org/rpzog, adds few, maybe redundant, Java
API/methods found in webshell, or alike, source code
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 273bdf5..d9c0952 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -111,8 +111,8 @@ public class SecuredUpload {
 return false;
 } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
 Debug.logError("Uploaded file "
-+ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-+ "in which the file name and also the extension 
should not be empty at all  ",
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
++ "The file name and the extension should not be empty 
at all",
 MODULE);
 return false;
 }
@@ -122,8 +122,8 @@ public class SecuredUpload {
 return false;
 } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
 Debug.logError("Uploaded file "
-+ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-+ "in which the file name and also the extension 
should not be empty at all  ",
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
++ "Tthe file name and the extension should not be 
empty at all",
 MODULE);
 return false;
 }
@@ -619,6 +619,12 @@ public class SecuredUpload {
 || content.toLowerCase().contains("mkdir")
 || content.toLowerCase().contains("fopen")
 || content.toLowerCase().contains("fclose")
+|| content.toLowerCase().contains("new file")
+|| content.toLowerCase().contains("import")
+|| content.toLowerCase().contains("upload")
+|| content.toLowerCase().contains("getFileName")
+|| content.toLowerCase().contains("Download")
+|| content.toLowerCase().contains("getOutputString")
 || content.toLowerCase().contains("readfile"));
 // TODO to be continued with known webshell contents... a complete 
allow list is impossible anyway...
 // eg: 
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/

[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
 new c4650ff  Fixed: Secure the uploads (OFBIZ-12080)
c4650ff is described below

commit c4650ff9bc9681d793f5cc9886618f1b042d9d58
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 19:00:37 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

According to https://s.apache.org/rpzog, adds few, maybe redundant, Java
API/methods found in webshell, or alike, source code
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 273bdf5..d9c0952 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -111,8 +111,8 @@ public class SecuredUpload {
 return false;
 } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
 Debug.logError("Uploaded file "
-+ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-+ "in which the file name and also the extension 
should not be empty at all  ",
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
++ "The file name and the extension should not be empty 
at all",
 MODULE);
 return false;
 }
@@ -122,8 +122,8 @@ public class SecuredUpload {
 return false;
 } else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
 Debug.logError("Uploaded file "
-+ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
-+ "in which the file name and also the extension 
should not be empty at all  ",
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension."
++ "Tthe file name and the extension should not be 
empty at all",
 MODULE);
 return false;
 }
@@ -619,6 +619,12 @@ public class SecuredUpload {
 || content.toLowerCase().contains("mkdir")
 || content.toLowerCase().contains("fopen")
 || content.toLowerCase().contains("fclose")
+|| content.toLowerCase().contains("new file")
+|| content.toLowerCase().contains("import")
+|| content.toLowerCase().contains("upload")
+|| content.toLowerCase().contains("getFileName")
+|| content.toLowerCase().contains("Download")
+|| content.toLowerCase().contains("getOutputString")
 || content.toLowerCase().contains("readfile"));
 // TODO to be continued with known webshell contents... a complete 
allow list is impossible anyway...
 // eg: 
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/

buildbot failure in on ofbizNextFrameworkRat

2020-12-14 Thread buildbot 
The Buildbot has detected a new failure on builder ofbizNextFrameworkRat while 
building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizNextFrameworkRat/builds/84

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: downstream
Build Source Stamp: [branch release18.12] 
16ffa216d9a22a02a7e846a15a3a836a0212849d
Blamelist: Jacques Le Roux 

BUILD FAILED: failed

Sincerely,
 -The Buildbot

buildbot exception in on ofbizTrunkFrameworkPlugins

2020-12-14 Thread buildbot 
The Buildbot has detected a build exception on builder 
ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are 
available at:
https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1916

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: downstream
Build Source Stamp: [branch trunk] 179dd2411abdbcda82242266e794abbc20e07720
Blamelist: Jacques Le Roux 

BUILD FAILED: exception upload test-results part 1

Sincerely,
 -The Buildbot

buildbot failure in on ofbizTrunkFrameworkRat

2020-12-14 Thread buildbot 
The Buildbot has detected a new failure on builder ofbizTrunkFrameworkRat while 
building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizTrunkFrameworkRat/builds/1414

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: downstream
Build Source Stamp: [branch trunk] 179dd2411abdbcda82242266e794abbc20e07720
Blamelist: Jacques Le Roux 

BUILD FAILED: failed

Sincerely,
 -The Buildbot

buildbot success in on ofbizTrunkFramework

2020-12-14 Thread buildbot 
The Buildbot has detected a restored build on builder ofbizTrunkFramework while 
building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizTrunkFramework/builds/2010

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf946_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' 
triggered this build
Build Source Stamp: [branch trunk] 179dd2411abdbcda82242266e794abbc20e07720
Blamelist: Jacques Le Roux 

Build succeeded!

Sincerely,
 -The Buildbot

buildbot exception in on ofbizBranch17Framework

2020-12-14 Thread buildbot 
The Buildbot has detected a build exception on builder ofbizBranch17Framework 
while building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizBranch17Framework/builds/551

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 
'onBranch17FrameworkCommit' triggered this build
Build Source Stamp: [branch release17.12] 
ba6470b9eaab8913a3d8c1305774c2321c338e38
Blamelist: Jacques Le Roux 

BUILD FAILED: exception upload

Sincerely,
 -The Buildbot

[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
 new 16ffa21  Fixed: Secure the uploads (OFBIZ-12080)
16ffa21 is described below

commit 16ffa216d9a22a02a7e846a15a3a836a0212849d
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 16:46:05 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

Follows OWASP advice on file names:

All the control characters and Unicode ones should be removed from the 
filenames
and their extensions without any exception. Also, the special characters 
such as
“;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on 
should be
discarded as well.

If it is applicable and there is no need to have Unicode characters, it is
highly recommended to only accept Alpha-Numeric characters and only 1 dot 
as an
input for the file name and the extension; in which the file name and also 
the
extension should not be empty at all
(regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).

So if someone needs other chars in uploaded filenames a change will be 
needed
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++
 1 file changed, 14 insertions(+)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a8321dc..273bdf5 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -107,10 +107,24 @@ public class SecuredUpload {
 
 if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
 if (fileToCheck.length() > 259) {
+Debug.logError("Uploaded file name too long", MODULE);
+return false;
+} else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
+Debug.logError("Uploaded file "
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
++ "in which the file name and also the extension 
should not be empty at all  ",
+MODULE);
 return false;
 }
 } else {
 if (fileToCheck.length() > 4096) {
+Debug.logError("Uploaded file name too long", MODULE);
+return false;
+} else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+Debug.logError("Uploaded file "
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
++ "in which the file name and also the extension 
should not be empty at all  ",
+MODULE);
 return false;
 }
 }

[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
 new 179dd24  Fixed: Secure the uploads (OFBIZ-12080)
179dd24 is described below

commit 179dd2411abdbcda82242266e794abbc20e07720
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 16:46:05 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

Follows OWASP advice on file names:

All the control characters and Unicode ones should be removed from the 
filenames
and their extensions without any exception. Also, the special characters 
such as
“;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on 
should be
discarded as well.

If it is applicable and there is no need to have Unicode characters, it is
highly recommended to only accept Alpha-Numeric characters and only 1 dot 
as an
input for the file name and the extension; in which the file name and also 
the
extension should not be empty at all
(regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).

So if someone needs other chars in uploaded filenames a change will be 
needed
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++
 1 file changed, 14 insertions(+)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a8321dc..273bdf5 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -107,10 +107,24 @@ public class SecuredUpload {
 
 if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
 if (fileToCheck.length() > 259) {
+Debug.logError("Uploaded file name too long", MODULE);
+return false;
+} else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
+Debug.logError("Uploaded file "
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
++ "in which the file name and also the extension 
should not be empty at all  ",
+MODULE);
 return false;
 }
 } else {
 if (fileToCheck.length() > 4096) {
+Debug.logError("Uploaded file name too long", MODULE);
+return false;
+} else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+Debug.logError("Uploaded file "
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
++ "in which the file name and also the extension 
should not be empty at all  ",
+MODULE);
 return false;
 }
 }

[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
 new ba6470b  Fixed: Secure the uploads (OFBIZ-12080)
ba6470b is described below

commit ba6470b9eaab8913a3d8c1305774c2321c338e38
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 16:46:05 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

Follows OWASP advice on file names:

All the control characters and Unicode ones should be removed from the 
filenames
and their extensions without any exception. Also, the special characters 
such as
“;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on 
should be
discarded as well.

If it is applicable and there is no need to have Unicode characters, it is
highly recommended to only accept Alpha-Numeric characters and only 1 dot 
as an
input for the file name and the extension; in which the file name and also 
the
extension should not be empty at all
(regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).

So if someone needs other chars in uploaded filenames a change will be 
needed
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++
 1 file changed, 14 insertions(+)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a8321dc..273bdf5 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -107,10 +107,24 @@ public class SecuredUpload {
 
 if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
 if (fileToCheck.length() > 259) {
+Debug.logError("Uploaded file name too long", MODULE);
+return false;
+} else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
+Debug.logError("Uploaded file "
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
++ "in which the file name and also the extension 
should not be empty at all  ",
+MODULE);
 return false;
 }
 } else {
 if (fileToCheck.length() > 4096) {
+Debug.logError("Uploaded file name too long", MODULE);
+return false;
+} else if 
(!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+Debug.logError("Uploaded file "
++ " should contain only Alpha-Numeric characters, only 
1 dot as an input for the file name and the extension; "
++ "in which the file name and also the extension 
should not be empty at all  ",
+MODULE);
 return false;
 }
 }

buildbot success in on ofbizBranch18Framework

2020-12-14 Thread buildbot 
The Buildbot has detected a restored build on builder ofbizBranch18Framework 
while building . Full details are available at:
https://ci.apache.org/builders/ofbizBranch18Framework/builds/422

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf947_ubuntu

Build Reason: forced: by IRC user  (privmsg): forces manual build 
after BuildBot read-only error
Build Source Stamp: HEAD
Blamelist: 

Build succeeded!

Sincerely,
 -The Buildbot

buildbot failure in on ofbizBranch18Framework

2020-12-14 Thread buildbot 
The Buildbot has detected a new failure on builder ofbizBranch18Framework while 
building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizBranch18Framework/builds/421

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf947_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 
'onBranch18FrameworkCommit' triggered this build
Build Source Stamp: [branch release18.12] 
b159dffb15c36daa2d3d1f3a622734c681a0c21e
Blamelist: Jacques Le Roux 

BUILD FAILED: failed shell_2

Sincerely,
 -The Buildbot

buildbot failure in on ofbizStableFrameworkRat

2020-12-14 Thread buildbot 
The Buildbot has detected a new failure on builder ofbizStableFrameworkRat 
while building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizStableFrameworkRat/builds/68

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: downstream
Build Source Stamp: [branch release17.12] 
00d875251c94496b198ef4fdad61f42fd8318727
Blamelist: Jacques Le Roux 

BUILD FAILED: failed

Sincerely,
 -The Buildbot

buildbot exception in on ofbizTrunkFramework

2020-12-14 Thread buildbot 
The Buildbot has detected a build exception on builder ofbizTrunkFramework 
while building ofbiz-framework. Full details are available at:
https://ci.apache.org/builders/ofbizTrunkFramework/builds/2009

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf945_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' 
triggered this build
Build Source Stamp: [branch trunk] 63e2b526b84442eace3bbecafc4b12f8aeaf141d
Blamelist: Jacques Le Roux 

BUILD FAILED: exception upload test-results part 1

Sincerely,
 -The Buildbot

[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
 new 00d8752  Fixed: Secure the uploads (OFBIZ-12080)
00d8752 is described below

commit 00d875251c94496b198ef4fdad61f42fd8318727
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 12:46:32 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

Prevents too long filenames as recommended by OWASP.

Based on 
https://security.stackexchange.com/questions/46484/denial-of-service-when-uploading-a-file#answer-46495
I decided to not limit sizes of files. Anyway we know it's only post-auth...
---
 .../org/apache/ofbiz/security/SecuredUpload.java   | 56 +-
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 0751067..a8321dc 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -93,51 +93,61 @@ public class SecuredUpload {
 private static final String MODULE = SecuredUpload.class.getName();
 
 /**
- * @param fileTocheck
+ * @param fileToCheck
  * @param fileType
  * @return true if the file is valid
  * @throws IOException
  * @throws ImageReadException
  */
-public static boolean isValidFile(String fileTocheck, String fileType, 
Delegator delegator) throws IOException, ImageReadException {
+public static boolean isValidFile(String fileToCheck, String fileType, 
Delegator delegator) throws IOException, ImageReadException {
 
 if 
(("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", 
"allowAllUploads", delegator {
 return true;
 }
 
-if (isExecutable(fileTocheck)) {
+if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
+if (fileToCheck.length() > 259) {
+return false;
+}
+} else {
+if (fileToCheck.length() > 4096) {
+return false;
+}
+}
+
+if (isExecutable(fileToCheck)) {
 return false;
 }
 
 switch (fileType) {
 case "Image":
-if (isValidImageFile(fileTocheck)) {
+if (isValidImageFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "ImageAndSvg":
-if (isValidImageIncludingSvgFile(fileTocheck)) {
+if (isValidImageIncludingSvgFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "PDF":
-if (isValidPdfFile(fileTocheck)) {
+if (isValidPdfFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "Compressed":
-if (isValidCompressedFile(fileTocheck, delegator)) {
+if (isValidCompressedFile(fileToCheck, delegator)) {
 return true;
 }
 break;
 
 case "AllButCompressed":
-if (isValidTextFile(fileTocheck)
-|| isValidImageIncludingSvgFile(fileTocheck)
-|| isValidPdfFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)
+|| isValidImageIncludingSvgFile(fileToCheck)
+|| isValidPdfFile(fileToCheck)) {
 return true;
 }
 break;
@@ -146,37 +156,37 @@ public class SecuredUpload {
 // The philosophy for isValidTextFile() is that
 // we can't presume of all possible text contents used for attacks 
with payloads
 // At least there is an easy way to prevent them in isValidTextFile
-if (isValidTextFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "Audio":
-if (isValidAudioFile(fileTocheck)) {
+if (isValidAudioFile(fileToCheck)) {
 return true;
 }
 break;
 case "Video":
-if (isValidVideoFile(fileTocheck)) {
+if (isValidVideoFile(fileToCheck)) {
 return true;
 }
 break;
 
 default: // All
-if (isValidTextFile(fileTocheck)
-|| isValidImageIncludingSvgFile(fileTocheck)
-|| isValidCompressedFile(fileTocheck, delegator)
-|| isValidAudioFile(fileTocheck)
-|| isValidVideoFile(fileTocheck)
-|| isValidPdfFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)
+

[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
 new b159dff  Fixed: Secure the uploads (OFBIZ-12080)
b159dff is described below

commit b159dffb15c36daa2d3d1f3a622734c681a0c21e
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 12:46:32 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

Prevents too long filenames as recommended by OWASP.

Based on 
https://security.stackexchange.com/questions/46484/denial-of-service-when-uploading-a-file#answer-46495
I decided to not limit sizes of files. Anyway we know it's only post-auth...
---
 .../org/apache/ofbiz/security/SecuredUpload.java   | 56 +-
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 0751067..a8321dc 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -93,51 +93,61 @@ public class SecuredUpload {
 private static final String MODULE = SecuredUpload.class.getName();
 
 /**
- * @param fileTocheck
+ * @param fileToCheck
  * @param fileType
  * @return true if the file is valid
  * @throws IOException
  * @throws ImageReadException
  */
-public static boolean isValidFile(String fileTocheck, String fileType, 
Delegator delegator) throws IOException, ImageReadException {
+public static boolean isValidFile(String fileToCheck, String fileType, 
Delegator delegator) throws IOException, ImageReadException {
 
 if 
(("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", 
"allowAllUploads", delegator {
 return true;
 }
 
-if (isExecutable(fileTocheck)) {
+if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
+if (fileToCheck.length() > 259) {
+return false;
+}
+} else {
+if (fileToCheck.length() > 4096) {
+return false;
+}
+}
+
+if (isExecutable(fileToCheck)) {
 return false;
 }
 
 switch (fileType) {
 case "Image":
-if (isValidImageFile(fileTocheck)) {
+if (isValidImageFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "ImageAndSvg":
-if (isValidImageIncludingSvgFile(fileTocheck)) {
+if (isValidImageIncludingSvgFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "PDF":
-if (isValidPdfFile(fileTocheck)) {
+if (isValidPdfFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "Compressed":
-if (isValidCompressedFile(fileTocheck, delegator)) {
+if (isValidCompressedFile(fileToCheck, delegator)) {
 return true;
 }
 break;
 
 case "AllButCompressed":
-if (isValidTextFile(fileTocheck)
-|| isValidImageIncludingSvgFile(fileTocheck)
-|| isValidPdfFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)
+|| isValidImageIncludingSvgFile(fileToCheck)
+|| isValidPdfFile(fileToCheck)) {
 return true;
 }
 break;
@@ -146,37 +156,37 @@ public class SecuredUpload {
 // The philosophy for isValidTextFile() is that
 // we can't presume of all possible text contents used for attacks 
with payloads
 // At least there is an easy way to prevent them in isValidTextFile
-if (isValidTextFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "Audio":
-if (isValidAudioFile(fileTocheck)) {
+if (isValidAudioFile(fileToCheck)) {
 return true;
 }
 break;
 case "Video":
-if (isValidVideoFile(fileTocheck)) {
+if (isValidVideoFile(fileToCheck)) {
 return true;
 }
 break;
 
 default: // All
-if (isValidTextFile(fileTocheck)
-|| isValidImageIncludingSvgFile(fileTocheck)
-|| isValidCompressedFile(fileTocheck, delegator)
-|| isValidAudioFile(fileTocheck)
-|| isValidVideoFile(fileTocheck)
-|| isValidPdfFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)
+

[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)

2020-12-14 Thread jleroux 
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
 new 63e2b52  Fixed: Secure the uploads (OFBIZ-12080)
63e2b52 is described below

commit 63e2b526b84442eace3bbecafc4b12f8aeaf141d
Author: Jacques Le Roux 
AuthorDate: Mon Dec 14 12:46:32 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

Prevents too long filenames as recommended by OWASP.

Based on 
https://security.stackexchange.com/questions/46484/denial-of-service-when-uploading-a-file#answer-46495
I decided to not limit sizes of files. Anyway we know it's only post-auth...
---
 .../org/apache/ofbiz/security/SecuredUpload.java   | 56 +-
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 0751067..a8321dc 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -93,51 +93,61 @@ public class SecuredUpload {
 private static final String MODULE = SecuredUpload.class.getName();
 
 /**
- * @param fileTocheck
+ * @param fileToCheck
  * @param fileType
  * @return true if the file is valid
  * @throws IOException
  * @throws ImageReadException
  */
-public static boolean isValidFile(String fileTocheck, String fileType, 
Delegator delegator) throws IOException, ImageReadException {
+public static boolean isValidFile(String fileToCheck, String fileType, 
Delegator delegator) throws IOException, ImageReadException {
 
 if 
(("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", 
"allowAllUploads", delegator {
 return true;
 }
 
-if (isExecutable(fileTocheck)) {
+if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
+if (fileToCheck.length() > 259) {
+return false;
+}
+} else {
+if (fileToCheck.length() > 4096) {
+return false;
+}
+}
+
+if (isExecutable(fileToCheck)) {
 return false;
 }
 
 switch (fileType) {
 case "Image":
-if (isValidImageFile(fileTocheck)) {
+if (isValidImageFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "ImageAndSvg":
-if (isValidImageIncludingSvgFile(fileTocheck)) {
+if (isValidImageIncludingSvgFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "PDF":
-if (isValidPdfFile(fileTocheck)) {
+if (isValidPdfFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "Compressed":
-if (isValidCompressedFile(fileTocheck, delegator)) {
+if (isValidCompressedFile(fileToCheck, delegator)) {
 return true;
 }
 break;
 
 case "AllButCompressed":
-if (isValidTextFile(fileTocheck)
-|| isValidImageIncludingSvgFile(fileTocheck)
-|| isValidPdfFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)
+|| isValidImageIncludingSvgFile(fileToCheck)
+|| isValidPdfFile(fileToCheck)) {
 return true;
 }
 break;
@@ -146,37 +156,37 @@ public class SecuredUpload {
 // The philosophy for isValidTextFile() is that
 // we can't presume of all possible text contents used for attacks 
with payloads
 // At least there is an easy way to prevent them in isValidTextFile
-if (isValidTextFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)) {
 return true;
 }
 break;
 
 case "Audio":
-if (isValidAudioFile(fileTocheck)) {
+if (isValidAudioFile(fileToCheck)) {
 return true;
 }
 break;
 case "Video":
-if (isValidVideoFile(fileTocheck)) {
+if (isValidVideoFile(fileToCheck)) {
 return true;
 }
 break;
 
 default: // All
-if (isValidTextFile(fileTocheck)
-|| isValidImageIncludingSvgFile(fileTocheck)
-|| isValidCompressedFile(fileTocheck, delegator)
-|| isValidAudioFile(fileTocheck)
-|| isValidVideoFile(fileTocheck)
-|| isValidPdfFile(fileTocheck)) {
+if (isValidTextFile(fileToCheck)
+