buildbot success in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a restored build on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1917 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] c4650ff9bc9681d793f5cc9886618f1b042d9d58 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
buildbot exception in on ofbizBranch18Framework
The Buildbot has detected a build exception on builder ofbizBranch18Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch18Framework/builds/424 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch18FrameworkCommit' triggered this build Build Source Stamp: [branch release18.12] e3c274128b9e447dc34f7114c91ad2098a683422 Blamelist: Jacques Le Roux BUILD FAILED: exception upload Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new e3c2741 Fixed: Secure the uploads (OFBIZ-12080) e3c2741 is described below commit e3c274128b9e447dc34f7114c91ad2098a683422 Author: Jacques Le Roux AuthorDate: Mon Dec 14 19:00:37 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) According to https://s.apache.org/rpzog, adds few, maybe redundant, Java API/methods found in webshell, or alike, source code --- .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 273bdf5..d9c0952 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -111,8 +111,8 @@ public class SecuredUpload { return false; } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) { Debug.logError("Uploaded file " -+ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " -+ "in which the file name and also the extension should not be empty at all ", ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension." ++ "The file name and the extension should not be empty at all", MODULE); return false; } @@ -122,8 +122,8 @@ public class SecuredUpload { return false; } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) { Debug.logError("Uploaded file " -+ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " -+ "in which the file name and also the extension should not be empty at all ", ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension." ++ "Tthe file name and the extension should not be empty at all", MODULE); return false; } @@ -619,6 +619,12 @@ public class SecuredUpload { || content.toLowerCase().contains("mkdir") || content.toLowerCase().contains("fopen") || content.toLowerCase().contains("fclose") +|| content.toLowerCase().contains("new file") +|| content.toLowerCase().contains("import") +|| content.toLowerCase().contains("upload") +|| content.toLowerCase().contains("getFileName") +|| content.toLowerCase().contains("Download") +|| content.toLowerCase().contains("getOutputString") || content.toLowerCase().contains("readfile")); // TODO to be continued with known webshell contents... a complete allow list is impossible anyway... // eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new 363e0be Fixed: Secure the uploads (OFBIZ-12080) 363e0be is described below commit 363e0be7708cd30c4c3c994716352a6e57305973 Author: Jacques Le Roux AuthorDate: Mon Dec 14 19:00:37 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) According to https://s.apache.org/rpzog, adds few, maybe redundant, Java API/methods found in webshell, or alike, source code --- .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 273bdf5..d9c0952 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -111,8 +111,8 @@ public class SecuredUpload { return false; } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) { Debug.logError("Uploaded file " -+ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " -+ "in which the file name and also the extension should not be empty at all ", ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension." ++ "The file name and the extension should not be empty at all", MODULE); return false; } @@ -122,8 +122,8 @@ public class SecuredUpload { return false; } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) { Debug.logError("Uploaded file " -+ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " -+ "in which the file name and also the extension should not be empty at all ", ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension." ++ "Tthe file name and the extension should not be empty at all", MODULE); return false; } @@ -619,6 +619,12 @@ public class SecuredUpload { || content.toLowerCase().contains("mkdir") || content.toLowerCase().contains("fopen") || content.toLowerCase().contains("fclose") +|| content.toLowerCase().contains("new file") +|| content.toLowerCase().contains("import") +|| content.toLowerCase().contains("upload") +|| content.toLowerCase().contains("getFileName") +|| content.toLowerCase().contains("Download") +|| content.toLowerCase().contains("getOutputString") || content.toLowerCase().contains("readfile")); // TODO to be continued with known webshell contents... a complete allow list is impossible anyway... // eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new c4650ff Fixed: Secure the uploads (OFBIZ-12080) c4650ff is described below commit c4650ff9bc9681d793f5cc9886618f1b042d9d58 Author: Jacques Le Roux AuthorDate: Mon Dec 14 19:00:37 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) According to https://s.apache.org/rpzog, adds few, maybe redundant, Java API/methods found in webshell, or alike, source code --- .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 273bdf5..d9c0952 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -111,8 +111,8 @@ public class SecuredUpload { return false; } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) { Debug.logError("Uploaded file " -+ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " -+ "in which the file name and also the extension should not be empty at all ", ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension." ++ "The file name and the extension should not be empty at all", MODULE); return false; } @@ -122,8 +122,8 @@ public class SecuredUpload { return false; } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) { Debug.logError("Uploaded file " -+ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " -+ "in which the file name and also the extension should not be empty at all ", ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension." ++ "Tthe file name and the extension should not be empty at all", MODULE); return false; } @@ -619,6 +619,12 @@ public class SecuredUpload { || content.toLowerCase().contains("mkdir") || content.toLowerCase().contains("fopen") || content.toLowerCase().contains("fclose") +|| content.toLowerCase().contains("new file") +|| content.toLowerCase().contains("import") +|| content.toLowerCase().contains("upload") +|| content.toLowerCase().contains("getFileName") +|| content.toLowerCase().contains("Download") +|| content.toLowerCase().contains("getOutputString") || content.toLowerCase().contains("readfile")); // TODO to be continued with known webshell contents... a complete allow list is impossible anyway... // eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
buildbot failure in on ofbizNextFrameworkRat
The Buildbot has detected a new failure on builder ofbizNextFrameworkRat while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizNextFrameworkRat/builds/84 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch release18.12] 16ffa216d9a22a02a7e846a15a3a836a0212849d Blamelist: Jacques Le Roux BUILD FAILED: failed Sincerely, -The Buildbot
buildbot exception in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a build exception on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1916 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 179dd2411abdbcda82242266e794abbc20e07720 Blamelist: Jacques Le Roux BUILD FAILED: exception upload test-results part 1 Sincerely, -The Buildbot
buildbot failure in on ofbizTrunkFrameworkRat
The Buildbot has detected a new failure on builder ofbizTrunkFrameworkRat while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkRat/builds/1414 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 179dd2411abdbcda82242266e794abbc20e07720 Blamelist: Jacques Le Roux BUILD FAILED: failed Sincerely, -The Buildbot
buildbot success in on ofbizTrunkFramework
The Buildbot has detected a restored build on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2010 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] 179dd2411abdbcda82242266e794abbc20e07720 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
buildbot exception in on ofbizBranch17Framework
The Buildbot has detected a build exception on builder ofbizBranch17Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch17Framework/builds/551 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch17FrameworkCommit' triggered this build Build Source Stamp: [branch release17.12] ba6470b9eaab8913a3d8c1305774c2321c338e38 Blamelist: Jacques Le Roux BUILD FAILED: exception upload Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 16ffa21 Fixed: Secure the uploads (OFBIZ-12080) 16ffa21 is described below commit 16ffa216d9a22a02a7e846a15a3a836a0212849d Author: Jacques Le Roux AuthorDate: Mon Dec 14 16:46:05 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) Follows OWASP advice on file names: All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}). So if someone needs other chars in uploaded filenames a change will be needed --- .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++ 1 file changed, 14 insertions(+) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index a8321dc..273bdf5 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -107,10 +107,24 @@ public class SecuredUpload { if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { if (fileToCheck.length() > 259) { +Debug.logError("Uploaded file name too long", MODULE); +return false; +} else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) { +Debug.logError("Uploaded file " ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " ++ "in which the file name and also the extension should not be empty at all ", +MODULE); return false; } } else { if (fileToCheck.length() > 4096) { +Debug.logError("Uploaded file name too long", MODULE); +return false; +} else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) { +Debug.logError("Uploaded file " ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " ++ "in which the file name and also the extension should not be empty at all ", +MODULE); return false; } }
[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 179dd24 Fixed: Secure the uploads (OFBIZ-12080) 179dd24 is described below commit 179dd2411abdbcda82242266e794abbc20e07720 Author: Jacques Le Roux AuthorDate: Mon Dec 14 16:46:05 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) Follows OWASP advice on file names: All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}). So if someone needs other chars in uploaded filenames a change will be needed --- .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++ 1 file changed, 14 insertions(+) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index a8321dc..273bdf5 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -107,10 +107,24 @@ public class SecuredUpload { if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { if (fileToCheck.length() > 259) { +Debug.logError("Uploaded file name too long", MODULE); +return false; +} else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) { +Debug.logError("Uploaded file " ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " ++ "in which the file name and also the extension should not be empty at all ", +MODULE); return false; } } else { if (fileToCheck.length() > 4096) { +Debug.logError("Uploaded file name too long", MODULE); +return false; +} else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) { +Debug.logError("Uploaded file " ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " ++ "in which the file name and also the extension should not be empty at all ", +MODULE); return false; } }
[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new ba6470b Fixed: Secure the uploads (OFBIZ-12080) ba6470b is described below commit ba6470b9eaab8913a3d8c1305774c2321c338e38 Author: Jacques Le Roux AuthorDate: Mon Dec 14 16:46:05 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) Follows OWASP advice on file names: All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}). So if someone needs other chars in uploaded filenames a change will be needed --- .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++ 1 file changed, 14 insertions(+) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index a8321dc..273bdf5 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -107,10 +107,24 @@ public class SecuredUpload { if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { if (fileToCheck.length() > 259) { +Debug.logError("Uploaded file name too long", MODULE); +return false; +} else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) { +Debug.logError("Uploaded file " ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " ++ "in which the file name and also the extension should not be empty at all ", +MODULE); return false; } } else { if (fileToCheck.length() > 4096) { +Debug.logError("Uploaded file name too long", MODULE); +return false; +} else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) { +Debug.logError("Uploaded file " ++ " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; " ++ "in which the file name and also the extension should not be empty at all ", +MODULE); return false; } }
buildbot success in on ofbizBranch18Framework
The Buildbot has detected a restored build on builder ofbizBranch18Framework while building . Full details are available at: https://ci.apache.org/builders/ofbizBranch18Framework/builds/422 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after BuildBot read-only error Build Source Stamp: HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
buildbot failure in on ofbizBranch18Framework
The Buildbot has detected a new failure on builder ofbizBranch18Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch18Framework/builds/421 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch18FrameworkCommit' triggered this build Build Source Stamp: [branch release18.12] b159dffb15c36daa2d3d1f3a622734c681a0c21e Blamelist: Jacques Le Roux BUILD FAILED: failed shell_2 Sincerely, -The Buildbot
buildbot failure in on ofbizStableFrameworkRat
The Buildbot has detected a new failure on builder ofbizStableFrameworkRat while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizStableFrameworkRat/builds/68 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch release17.12] 00d875251c94496b198ef4fdad61f42fd8318727 Blamelist: Jacques Le Roux BUILD FAILED: failed Sincerely, -The Buildbot
buildbot exception in on ofbizTrunkFramework
The Buildbot has detected a build exception on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2009 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] 63e2b526b84442eace3bbecafc4b12f8aeaf141d Blamelist: Jacques Le Roux BUILD FAILED: exception upload test-results part 1 Sincerely, -The Buildbot
[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new 00d8752 Fixed: Secure the uploads (OFBIZ-12080) 00d8752 is described below commit 00d875251c94496b198ef4fdad61f42fd8318727 Author: Jacques Le Roux AuthorDate: Mon Dec 14 12:46:32 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) Prevents too long filenames as recommended by OWASP. Based on https://security.stackexchange.com/questions/46484/denial-of-service-when-uploading-a-file#answer-46495 I decided to not limit sizes of files. Anyway we know it's only post-auth... --- .../org/apache/ofbiz/security/SecuredUpload.java | 56 +- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 0751067..a8321dc 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -93,51 +93,61 @@ public class SecuredUpload { private static final String MODULE = SecuredUpload.class.getName(); /** - * @param fileTocheck + * @param fileToCheck * @param fileType * @return true if the file is valid * @throws IOException * @throws ImageReadException */ -public static boolean isValidFile(String fileTocheck, String fileType, Delegator delegator) throws IOException, ImageReadException { +public static boolean isValidFile(String fileToCheck, String fileType, Delegator delegator) throws IOException, ImageReadException { if (("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", "allowAllUploads", delegator { return true; } -if (isExecutable(fileTocheck)) { +if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { +if (fileToCheck.length() > 259) { +return false; +} +} else { +if (fileToCheck.length() > 4096) { +return false; +} +} + +if (isExecutable(fileToCheck)) { return false; } switch (fileType) { case "Image": -if (isValidImageFile(fileTocheck)) { +if (isValidImageFile(fileToCheck)) { return true; } break; case "ImageAndSvg": -if (isValidImageIncludingSvgFile(fileTocheck)) { +if (isValidImageIncludingSvgFile(fileToCheck)) { return true; } break; case "PDF": -if (isValidPdfFile(fileTocheck)) { +if (isValidPdfFile(fileToCheck)) { return true; } break; case "Compressed": -if (isValidCompressedFile(fileTocheck, delegator)) { +if (isValidCompressedFile(fileToCheck, delegator)) { return true; } break; case "AllButCompressed": -if (isValidTextFile(fileTocheck) -|| isValidImageIncludingSvgFile(fileTocheck) -|| isValidPdfFile(fileTocheck)) { +if (isValidTextFile(fileToCheck) +|| isValidImageIncludingSvgFile(fileToCheck) +|| isValidPdfFile(fileToCheck)) { return true; } break; @@ -146,37 +156,37 @@ public class SecuredUpload { // The philosophy for isValidTextFile() is that // we can't presume of all possible text contents used for attacks with payloads // At least there is an easy way to prevent them in isValidTextFile -if (isValidTextFile(fileTocheck)) { +if (isValidTextFile(fileToCheck)) { return true; } break; case "Audio": -if (isValidAudioFile(fileTocheck)) { +if (isValidAudioFile(fileToCheck)) { return true; } break; case "Video": -if (isValidVideoFile(fileTocheck)) { +if (isValidVideoFile(fileToCheck)) { return true; } break; default: // All -if (isValidTextFile(fileTocheck) -|| isValidImageIncludingSvgFile(fileTocheck) -|| isValidCompressedFile(fileTocheck, delegator) -|| isValidAudioFile(fileTocheck) -|| isValidVideoFile(fileTocheck) -|| isValidPdfFile(fileTocheck)) { +if (isValidTextFile(fileToCheck) +
[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new b159dff Fixed: Secure the uploads (OFBIZ-12080) b159dff is described below commit b159dffb15c36daa2d3d1f3a622734c681a0c21e Author: Jacques Le Roux AuthorDate: Mon Dec 14 12:46:32 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) Prevents too long filenames as recommended by OWASP. Based on https://security.stackexchange.com/questions/46484/denial-of-service-when-uploading-a-file#answer-46495 I decided to not limit sizes of files. Anyway we know it's only post-auth... --- .../org/apache/ofbiz/security/SecuredUpload.java | 56 +- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 0751067..a8321dc 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -93,51 +93,61 @@ public class SecuredUpload { private static final String MODULE = SecuredUpload.class.getName(); /** - * @param fileTocheck + * @param fileToCheck * @param fileType * @return true if the file is valid * @throws IOException * @throws ImageReadException */ -public static boolean isValidFile(String fileTocheck, String fileType, Delegator delegator) throws IOException, ImageReadException { +public static boolean isValidFile(String fileToCheck, String fileType, Delegator delegator) throws IOException, ImageReadException { if (("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", "allowAllUploads", delegator { return true; } -if (isExecutable(fileTocheck)) { +if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { +if (fileToCheck.length() > 259) { +return false; +} +} else { +if (fileToCheck.length() > 4096) { +return false; +} +} + +if (isExecutable(fileToCheck)) { return false; } switch (fileType) { case "Image": -if (isValidImageFile(fileTocheck)) { +if (isValidImageFile(fileToCheck)) { return true; } break; case "ImageAndSvg": -if (isValidImageIncludingSvgFile(fileTocheck)) { +if (isValidImageIncludingSvgFile(fileToCheck)) { return true; } break; case "PDF": -if (isValidPdfFile(fileTocheck)) { +if (isValidPdfFile(fileToCheck)) { return true; } break; case "Compressed": -if (isValidCompressedFile(fileTocheck, delegator)) { +if (isValidCompressedFile(fileToCheck, delegator)) { return true; } break; case "AllButCompressed": -if (isValidTextFile(fileTocheck) -|| isValidImageIncludingSvgFile(fileTocheck) -|| isValidPdfFile(fileTocheck)) { +if (isValidTextFile(fileToCheck) +|| isValidImageIncludingSvgFile(fileToCheck) +|| isValidPdfFile(fileToCheck)) { return true; } break; @@ -146,37 +156,37 @@ public class SecuredUpload { // The philosophy for isValidTextFile() is that // we can't presume of all possible text contents used for attacks with payloads // At least there is an easy way to prevent them in isValidTextFile -if (isValidTextFile(fileTocheck)) { +if (isValidTextFile(fileToCheck)) { return true; } break; case "Audio": -if (isValidAudioFile(fileTocheck)) { +if (isValidAudioFile(fileToCheck)) { return true; } break; case "Video": -if (isValidVideoFile(fileTocheck)) { +if (isValidVideoFile(fileToCheck)) { return true; } break; default: // All -if (isValidTextFile(fileTocheck) -|| isValidImageIncludingSvgFile(fileTocheck) -|| isValidCompressedFile(fileTocheck, delegator) -|| isValidAudioFile(fileTocheck) -|| isValidVideoFile(fileTocheck) -|| isValidPdfFile(fileTocheck)) { +if (isValidTextFile(fileToCheck) +
[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 63e2b52 Fixed: Secure the uploads (OFBIZ-12080) 63e2b52 is described below commit 63e2b526b84442eace3bbecafc4b12f8aeaf141d Author: Jacques Le Roux AuthorDate: Mon Dec 14 12:46:32 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) Prevents too long filenames as recommended by OWASP. Based on https://security.stackexchange.com/questions/46484/denial-of-service-when-uploading-a-file#answer-46495 I decided to not limit sizes of files. Anyway we know it's only post-auth... --- .../org/apache/ofbiz/security/SecuredUpload.java | 56 +- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 0751067..a8321dc 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -93,51 +93,61 @@ public class SecuredUpload { private static final String MODULE = SecuredUpload.class.getName(); /** - * @param fileTocheck + * @param fileToCheck * @param fileType * @return true if the file is valid * @throws IOException * @throws ImageReadException */ -public static boolean isValidFile(String fileTocheck, String fileType, Delegator delegator) throws IOException, ImageReadException { +public static boolean isValidFile(String fileToCheck, String fileType, Delegator delegator) throws IOException, ImageReadException { if (("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", "allowAllUploads", delegator { return true; } -if (isExecutable(fileTocheck)) { +if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) { +if (fileToCheck.length() > 259) { +return false; +} +} else { +if (fileToCheck.length() > 4096) { +return false; +} +} + +if (isExecutable(fileToCheck)) { return false; } switch (fileType) { case "Image": -if (isValidImageFile(fileTocheck)) { +if (isValidImageFile(fileToCheck)) { return true; } break; case "ImageAndSvg": -if (isValidImageIncludingSvgFile(fileTocheck)) { +if (isValidImageIncludingSvgFile(fileToCheck)) { return true; } break; case "PDF": -if (isValidPdfFile(fileTocheck)) { +if (isValidPdfFile(fileToCheck)) { return true; } break; case "Compressed": -if (isValidCompressedFile(fileTocheck, delegator)) { +if (isValidCompressedFile(fileToCheck, delegator)) { return true; } break; case "AllButCompressed": -if (isValidTextFile(fileTocheck) -|| isValidImageIncludingSvgFile(fileTocheck) -|| isValidPdfFile(fileTocheck)) { +if (isValidTextFile(fileToCheck) +|| isValidImageIncludingSvgFile(fileToCheck) +|| isValidPdfFile(fileToCheck)) { return true; } break; @@ -146,37 +156,37 @@ public class SecuredUpload { // The philosophy for isValidTextFile() is that // we can't presume of all possible text contents used for attacks with payloads // At least there is an easy way to prevent them in isValidTextFile -if (isValidTextFile(fileTocheck)) { +if (isValidTextFile(fileToCheck)) { return true; } break; case "Audio": -if (isValidAudioFile(fileTocheck)) { +if (isValidAudioFile(fileToCheck)) { return true; } break; case "Video": -if (isValidVideoFile(fileTocheck)) { +if (isValidVideoFile(fileToCheck)) { return true; } break; default: // All -if (isValidTextFile(fileTocheck) -|| isValidImageIncludingSvgFile(fileTocheck) -|| isValidCompressedFile(fileTocheck, delegator) -|| isValidAudioFile(fileTocheck) -|| isValidVideoFile(fileTocheck) -|| isValidPdfFile(fileTocheck)) { +if (isValidTextFile(fileToCheck) +