This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new 97740e0 Improved: Create a deny list to reject webshell tokens
(OFBIZ-12324)
97740e0 is described below
commit 97740e0c7af05d45b67848ae05d86040be629c22
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Feb 18 13:50:50 2022 +0100
Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)
Prevents CSV injection (MS Excel or Open Office)
---
framework/security/config/security.properties | 2 +-
.../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 7661561..fa96158 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -253,7 +253,7 @@
deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,tagl
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,\
python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,\
-
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami
+
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|
#-- Max line length for uploaded files, by default 10000
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 2ffe1e6..7b212dd 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -63,7 +63,7 @@ public class SecurityUtilTest {
//
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
// chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,\
// python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,\
- // ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami
+ //
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|
try {
List<String> allowed = new ArrayList<>();
@@ -122,11 +122,15 @@ public class SecurityUtilTest {
assertFalse(SecuredUpload.isValidText("route", allowed));
assertFalse(SecuredUpload.isValidText("crontab", allowed));
assertFalse(SecuredUpload.isValidText("netstat", allowed));
- assertFalse(SecuredUpload.isValidText("uname", allowed)); // found
1 image (on 33 600) with this token in
+ assertFalse(SecuredUpload.isValidText("uname", allowed)); // found
1 image (on 33 600, ~3GB) with this token in
assertFalse(SecuredUpload.isValidText("hostname", allowed));
assertFalse(SecuredUpload.isValidText("iptables", allowed));
assertFalse(SecuredUpload.isValidText("whoami", allowed));
// ip, ls, nc, ip, cat and pwd can'tbe used, too short
+ assertFalse(SecuredUpload.isValidText("\"cmd\"", allowed));
+ assertFalse(SecuredUpload.isValidText("*cmd|", allowed));
+ assertFalse(SecuredUpload.isValidText("+cmd|", allowed));
+ assertFalse(SecuredUpload.isValidText("=cmd|", allowed));
} catch (IOException e) {
fail(String.format("IOException occured : %s", e.getMessage()));
