[ofbiz-framework] 02/02: Fixed: Secure the uploads (OFBIZ-12080)

Thu, 17 Feb 2022 10:03:47 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 70c799dc63312ae5953a501cd19e4eb838771868
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 17 18:48:34 2022 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Prevents
    * too long lines (10 000) by default
    * linked images inside SVG
    
    Adds a comment about double extensions not allowed
    
    Conflicts handled by hand
     SecuredUpload.java
---
 .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 151c9c8..f592091 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -101,7 +101,7 @@ public class SecuredUpload {
     private static final String MODULE = SecuredUpload.class.getName();
     private static final List<String> DENIEDFILEEXTENSIONS = 
deniedFileExtensions();
     private static final List<String> DENIEDWEBSHELLTOKENS = 
deniedWebShellTokens();
-    private static final Integer maxLineLength = 
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
+    private static final Integer MAXLINELENGTH = 
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
 
     public static boolean isValidText(String content, List<String> allowed) 
throws IOException {
         return DENIEDWEBSHELLTOKENS.stream().allMatch(token -> 
isValid(content, token, allowed));
@@ -121,7 +121,7 @@ public class SecuredUpload {
 
         // Check max line length, default 10000
         if (!checkMaxLinesLength(fileToCheck)) {
-            Debug.logError("For security reason lines over " + 
maxLineLength.toString() + " are not allowed", MODULE);
+            Debug.logError("For security reason lines over " + 
MAXLINELENGTH.toString() + " are not allowed", MODULE);
             return false;
         }
 
@@ -689,7 +689,7 @@ public class SecuredUpload {
             File file = new File(fileToCheck);
             List<String> lines = FileUtils.readLines(file, 
Charset.defaultCharset());
             for (String line : lines) {
-                if (line.length() > maxLineLength) {
+                if (line.length() > MAXLINELENGTH) {
                     return false;
                 }
             }

Reply via email to