This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 4d68d1e Fixed: Secure the uploads (OFBIZ-12080)
4d68d1e is described below
commit 4d68d1e92e33d48c1003f0f6b44b552a188e6a01
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 18 15:45:07 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Prevents billions laugh attacks
---
.../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index e863276..35df8c5 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -657,8 +657,9 @@ public class SecuredUpload {
}
}
String content = new String(bytesFromFile);
- if (content.toLowerCase().contains("xlink:href=\"http")) {
- Debug.logError("Linked images inside SVG are not allowed for
security reason", MODULE);
+ if (content.toLowerCase().contains("xlink:href=\"http")
+ || content.toLowerCase().contains("<!ENTITY ")) { // Billions
laugh attack
+ Debug.logError("Linked images inside or Entity in SVG are not
allowed for security reason", MODULE);
return false;
}
ArrayList<String> allowed = new ArrayList<>();
