[ofbiz-framework] branch trunk updated: Fixed: SecuredUpload::isValidTextFile wrong check with uppercase (OFBIZ-12301)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 54acc03  Fixed: SecuredUpload::isValidTextFile wrong check with 
uppercase (OFBIZ-12301)
54acc03 is described below

commit 54acc03858eb28bb13dbf17c32d5e394b42ff869
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Aug 10 13:02:22 2021 +0200

    Fixed: SecuredUpload::isValidTextFile wrong check with uppercase 
(OFBIZ-12301)
    
    In SecuredUpload::isValidTextFile a wrong check is done
    
    Thanks: Zhujie from Ping'an Technology
---
 .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 904b64c..2c7913c 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -604,7 +604,7 @@ public class SecuredUpload {
                                                               // Else 
"template.utility.Execute" is a good replacement but not as much catching, who
                                                               // knows...
                 || content.toLowerCase().contains("import=\"java")
-                || content.toLowerCase().contains("Runtime.getRuntime().exec(")
+                || content.toLowerCase().contains("runtime.getruntime().exec(")
                 || content.toLowerCase().contains("<%@ page")
                 || content.toLowerCase().contains("<script")
                 || content.toLowerCase().contains("<body>")
@@ -629,9 +629,9 @@ public class SecuredUpload {
                 || content.toLowerCase().contains("new file")
                 || content.toLowerCase().contains("import")
                 || content.toLowerCase().contains("upload")
-                || content.toLowerCase().contains("getFileName")
-                || content.toLowerCase().contains("Download")
-                || content.toLowerCase().contains("getOutputString")
+                || content.toLowerCase().contains("getfilename")
+                || content.toLowerCase().contains("download")
+                || content.toLowerCase().contains("getoutputstring")
                 || content.toLowerCase().contains("readfile"));
         // TODO.... to be continued with known webshell contents... a complete 
allow list is impossible anyway...
         // eg: 
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/