This is an automated email from the ASF dual-hosted git repository.
pgil pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 3cea95f Create a deny list to reject webshell tokens (OFBIZ-12324)
3cea95f is described below
commit 3cea95fc4cfbc8d70771e9b0b30f29fc5eb5fa99
Author: Gil Portenseigne <p...@apache.org>
AuthorDate: Thu Sep 23 15:30:42 2021 +0200
Create a deny list to reject webshell tokens (OFBIZ-12324)
Replace java 9 `List.of` that is not yet compatible with current CI java
configuration (java 8)
---
.../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 4a11e91..85846f1 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -59,8 +59,10 @@ public class SecurityUtilTest {
@Test
public void webShellTokensTesting() {
try {
- assertTrue(SecuredUpload.isValidText("hack.getFileName",
List.of("getfilename")));
List<String> allowed = new ArrayList<>();
+ allowed.add("getfilename");
+ assertTrue(SecuredUpload.isValidText("hack.getFileName", allowed));
+ allowed = new ArrayList<>();
assertFalse(SecuredUpload.isValidText("hack.getFileName",
allowed));
assertFalse(SecuredUpload.isValidText("freemarker", allowed));
assertFalse(SecuredUpload.isValidText("import=\"java", allowed));
