This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 9ea7c6d Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
9ea7c6d is described below
commit 9ea7c6d52456e8a0b721d4c23a13e5c843f07658
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Sep 3 16:46:36 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
Safer completing solution as recommended by weinull orz
<wein...@outlook.com>
Previous commit was OK, but better be safe than sorry ;)
Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time
Thanks: weinull orz for the the right suggestion (done 2021-08-13)
---
.../org/apache/ofbiz/content/data/DataServices.java | 14 +++++++-------
.../ofbiz/product/imagemanagement/FrameImage.java | 6 +++---
.../imagemanagement/ImageManagementServices.java | 20 +++++++++-----------
.../ofbiz/product/product/ProductServices.java | 13 ++++++-------
.../org/apache/ofbiz/security/SecuredUpload.java | 4 ++--
5 files changed, 27 insertions(+), 30 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index f63c1b3..8589096 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -262,14 +262,14 @@ public class DataServices {
}
} else if (binData != null) {
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(binData.array());
- out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(binData.array());
+ out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, MODULE);
@@ -465,15 +465,15 @@ public class DataServices {
}
} else if (binData != null) {
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.setLength(binData.array().length);
- out.write(binData.array());
- out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.setLength(binData.array().length);
+ out.write(binData.array());
+ out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE,
"ContentUnableToOpenFileForWriting",
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index 3a9beed..6d9a86b 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -315,14 +315,14 @@ public class FrameImage {
request.setAttribute("_ERROR_MESSAGE_", "There is an existing
frame, please select from the existing frame.");
return "error";
}
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
request.setAttribute("_ERROR_MESSAGE_", errorMessage);
return "error";
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(imageData.array());
+ out.close();
//create dataResource
Map<String, Object> dataResourceCtx = new HashMap<>();
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
index b0f1599..5a194aa 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
@@ -156,13 +156,13 @@ public class ImageManagementServices {
if (UtilValidate.isEmpty(imageResize)) {
// Create image file original to folder product id.
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.toString(), "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(imageData.array());
+ out.close();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RES_ERROR,
@@ -180,14 +180,13 @@ public class ImageManagementServices {
fileOriginal = checkExistsImage(fileOriginal);
try {
- RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
- outFile.write(imageData.array());
- outFile.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileOriginal.toString(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
-
+ RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
+ outFile.write(imageData.array());
+ outFile.close();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RES_ERROR,
@@ -568,14 +567,13 @@ public class ImageManagementServices {
String fileToCheck = imageServerPath + "/" + productId + "/" +
filenameToUseThumb;
File fileOriginalThumb = new File(fileToCheck);
try {
- RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
- outFileThumb.write(imageData.array());
- outFileThumb.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileToCheck, "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
-
+ RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
+ outFileThumb.write(imageData.array());
+ outFileThumb.close();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return ServiceUtil.returnError(UtilProperties.getMessage(RES_ERROR,
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
index 1ee5804..ea2f4ac 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
@@ -1074,13 +1074,13 @@ public class ProductServices {
String fileToCheck = imageServerPath + "/" + fileLocation +
"." + extension.getString("fileExtensionId");
File file = new File(fileToCheck);
try {
- RandomAccessFile out = new RandomAccessFile(fileToCheck,
"rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileToCheck, "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(fileToCheck,
"rw");
+ out.write(imageData.array());
+ out.close();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE,
@@ -1378,14 +1378,13 @@ public class ProductServices {
File file = new File(fileToCheck);
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileToCheck, "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
-
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(imageData.array());
+ out.close();
} catch (FileNotFoundException e) {
Debug.logError(e, MODULE);
return
ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE,
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 812aa71..30928b9 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -96,7 +96,7 @@ public class SecuredUpload {
// Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF,
JPEG, PDF, Audio and Video and ZIP
private static final String MODULE = SecuredUpload.class.getName();
- private static final List<String> deniedFileExtensions =
deniedFileExtensions();
+ private static final List<String> DENIEDFILEEXTENSIONS =
deniedFileExtensions();
/**
* @param fileToCheck
@@ -116,7 +116,7 @@ public class SecuredUpload {
String fileName = p.getFileName().toString(); // The file name is the
farthest element from the root in the directory hierarchy.
boolean wrongFile = true;
- if
(deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) {
+ if
(DENIEDFILEEXTENSIONS.contains(FilenameUtils.getExtension(fileToCheck))) {
Debug.logError("This file extension is not allowed for security
reason", MODULE);
deleteBadFile(fileToCheck);
return false;
