This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 1b907b0 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
1b907b0 is described below
commit 1b907b06e86ee1b6fb73f45e9cc0cbf4b384193c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Sep 3 16:46:36 2021 +0200
Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
Safer completing solution as recommended by weinull orz
<wein...@outlook.com>
Previous commit was OK, but better be safe than sorry ;)
Also forgot to commit the DENIEDFILEEXTENSIONS checkstyle change last time
Thanks: weinull orz for the the right suggestion (done 2021-08-13)
---
.../org/apache/ofbiz/content/data/DataServices.java | 14 +++++++-------
.../ofbiz/product/imagemanagement/FrameImage.java | 6 +++---
.../imagemanagement/ImageManagementServices.java | 20 +++++++++-----------
.../ofbiz/product/product/ProductServices.java | 13 ++++++-------
.../org/apache/ofbiz/security/SecuredUpload.java | 4 ++--
5 files changed, 27 insertions(+), 30 deletions(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
index 2b30528..b6b17df 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
@@ -259,14 +259,14 @@ public class DataServices {
}
} else if (binData != null) {
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(binData.array());
- out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(binData.array());
+ out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, module);
@@ -459,15 +459,15 @@ public class DataServices {
}
} else if (binData != null) {
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.setLength(binData.array().length);
- out.write(binData.array());
- out.close();
// Check if a webshell is not uploaded
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"All", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.setLength(binData.array().length);
+ out.write(binData.array());
+ out.close();
} catch (FileNotFoundException | ImageReadException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resource,
"ContentUnableToOpenFileForWriting", UtilMisc.toMap("fileName",
file.getAbsolutePath()), locale));
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
index b84717b..e942586 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
@@ -292,14 +292,14 @@ public class FrameImage {
request.setAttribute("_ERROR_MESSAGE_", "There is an existing
frame, please select from the existing frame.");
return "error";
}
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.getAbsolutePath(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels",
"SupportedFileFormatsIncludingSvg", locale);
request.setAttribute("_ERROR_MESSAGE_", errorMessage);
return "error";
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(imageData.array());
+ out.close();
//create dataResource
Map<String, Object> dataResourceCtx = new HashMap<>();
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
index 1cdf560..54eb24d 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
@@ -151,13 +151,13 @@ public class ImageManagementServices {
if (UtilValidate.isEmpty(imageResize)) {
// Create image file original to folder product id.
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(file.toString(), "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(imageData.array());
+ out.close();
} catch (FileNotFoundException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resourceError,
@@ -175,14 +175,13 @@ public class ImageManagementServices {
fileOriginal = checkExistsImage(fileOriginal);
try {
- RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
- outFile.write(imageData.array());
- outFile.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileOriginal.toString(),
"Image", delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
-
+ RandomAccessFile outFile = new
RandomAccessFile(fileOriginal, "rw");
+ outFile.write(imageData.array());
+ outFile.close();
} catch (FileNotFoundException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resourceError,
@@ -529,14 +528,13 @@ public class ImageManagementServices {
String fileToCheck = imageServerPath + "/" + productId + "/" +
filenameToUseThumb;
File fileOriginalThumb = new File(fileToCheck);
try {
- RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
- outFileThumb.write(imageData.array());
- outFileThumb.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileToCheck, "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
-
+ RandomAccessFile outFileThumb = new
RandomAccessFile(fileOriginalThumb, "rw");
+ outFileThumb.write(imageData.array());
+ outFileThumb.close();
} catch (FileNotFoundException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resourceError,
diff --git
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
index 2ac11c1..d8f9924 100644
---
a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
+++
b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
@@ -1046,13 +1046,13 @@ public class ProductServices {
String fileToCheck = imageServerPath + "/" + fileLocation +
"." + extension.getString("fileExtensionId");
File file = new File(fileToCheck);
try {
- RandomAccessFile out = new RandomAccessFile(fileToCheck,
"rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileToCheck, "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
+ RandomAccessFile out = new RandomAccessFile(fileToCheck,
"rw");
+ out.write(imageData.array());
+ out.close();
} catch (FileNotFoundException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resource,
@@ -1323,14 +1323,13 @@ public class ProductServices {
File file = new File(fileToCheck);
try {
- RandomAccessFile out = new RandomAccessFile(file, "rw");
- out.write(imageData.array());
- out.close();
if
(!org.apache.ofbiz.security.SecuredUpload.isValidFile(fileToCheck, "Image",
delegator)) {
String errorMessage =
UtilProperties.getMessage("SecurityUiLabels", "SupportedImageFormats", locale);
return ServiceUtil.returnError(errorMessage);
}
-
+ RandomAccessFile out = new RandomAccessFile(file, "rw");
+ out.write(imageData.array());
+ out.close();
} catch (FileNotFoundException e) {
Debug.logError(e, module);
return
ServiceUtil.returnError(UtilProperties.getMessage(resource,
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 59ef0fe..bfffcec 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -96,7 +96,7 @@ public class SecuredUpload {
// Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF,
JPEG, PDF, Audio and Video and ZIP
private static final String MODULE = SecuredUpload.class.getName();
- private static final List<String> deniedFileExtensions =
deniedFileExtensions();
+ private static final List<String> DENIEDFILEEXTENSIONS =
deniedFileExtensions();
/**
* @param fileToCheck
@@ -116,7 +116,7 @@ public class SecuredUpload {
String fileName = p.getFileName().toString(); // The file name is the
farthest element from the root in the directory hierarchy.
boolean wrongFile = true;
- if
(deniedFileExtensions.contains(FilenameUtils.getExtension(fileToCheck))) {
+ if
(DENIEDFILEEXTENSIONS.contains(FilenameUtils.getExtension(fileToCheck))) {
Debug.logError("This file extension is not allowed for security
reason", MODULE);
deleteBadFile(fileToCheck);
return false;
