[ofbiz-framework] branch release18.12 updated: Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)

Mon, 14 Feb 2022 05:31:30 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 61e8ae2  Improved: Create a deny list to reject webshell tokens 
(OFBIZ-12324)
61e8ae2 is described below

commit 61e8ae2f1e4dce6b06e70af99620b6e3ffa450ff
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Feb 14 13:16:55 2022 +0100

    Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)
    
    After reviewing 
https://docs.oracle.com/cd/B14099_19/web.1012/b14014/jspxml.htm,
    since we use "<jsp:" this removes "scriptlet>", "declaration>" and 
"expression>".
    They are redundant with "<jsp:"; "<jsp:" covers those already.
    
    Also adds eval( for js and shrinks base64_decode to decode, and 
processbuilder
    to process because of OFBIZ 12571
    
    I always test the denied tokens against a lib of  images with 33 600 
elements (
    3.99 GB). If an image contains the token it can't be in the denied list.
---
 framework/security/config/security.properties | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index b91569c..0b88e95 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -216,10 +216,10 @@ allowAllUploads=
 #-- "freemarker" should be OK, should not be used in Freemarker templates, not 
part of the syntax.
 #-- Else "template.utility.Execute" is a good replacement but not as much 
catching, who knows...
 #-- If you are sure you are safe for a token you can remove it, etc.
-deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,scriptlet>,declaration>,expression>,<c:out,taglib,<prefix,<%@
 page,\
-                     
%eval,@eval,runtime,import,passthru,shell_exec,assert,str_rot13,system,base64_decode,include,\
+deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,\
+                     
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,\
-                     python,perl ,/perl,ruby 
,/ruby,processbuilder,function,class
+                     python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream
 #-- IMPORTANT: when you change things here you need to do accordingly in 
SecurityUtilTest::webShellTokensTesting and run "gradlew test" --
 
 #-- Popup last-visited time from database after user has logged in.

Reply via email to