This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 3f69a54 Fixed: Secure the uploads (OFBIZ-12080)
3f69a54 is described below
commit 3f69a54891fe6a4a915d346ad958ddfdb46a987f
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Feb 18 15:45:07 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Prevents billions laugh attacks
---
.../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 6a86c75..793e68a 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -654,8 +654,9 @@ public class SecuredUpload {
}
}
String content = new String(bytesFromFile);
- if (content.toLowerCase().contains("xlink:href=\"http")) {
- Debug.logError("Linked images inside SVG are not allowed for
security reason", MODULE);
+ if (content.toLowerCase().contains("xlink:href=\"http")
+ || content.toLowerCase().contains("<!ENTITY ")) { // Billions
laugh attack
+ Debug.logError("Linked images inside or Entity in SVG are not
allowed for security reason", MODULE);
return false;
}
ArrayList<String> allowed = new ArrayList<>();
