This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 30cb6da0b160ed2ff712709710cd9d95fca4f93c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 18 18:35:09 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Prevents special bytes in filename
Adds some deniedFileExtensions
---
framework/security/config/security.properties | 4 ++--
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 +++++++++++++-
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index fa96158..576e69f 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -236,8 +236,8 @@ templateClassResolver=
#--
#-- List of denied files suffixes to be uploaded
#-- OFBiz of course also check contents...
-deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\
-
vbs,js,reg,cgi,htaccess,asis,sh,phtm,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag
+deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,php6,php7,phps,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\
+
vbs,js,reg,cgi,htaccess,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action
#--
#-- The upload vulnerability is only a post-auth (needs a credential with
suitable permissions),
#-- people may like to allow more than what is allowed OOTB
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 793e68a..1d117bd 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -113,12 +113,13 @@ public class SecuredUpload {
return true;
}
- // Prevent double extensions
+ // Prevents double extensions
if (StringUtils.countMatches(fileToCheck, ".") > 1) {
Debug.logError("Double extensions are not allowed for security
reason", MODULE);
return false;
}
+
// Check max line length, default 10000
if (!checkMaxLinesLength(fileToCheck)) {
Debug.logError("For security reason lines over " +
MAXLINELENGTH.toString() + " are not allowed", MODULE);
@@ -132,6 +133,17 @@ public class SecuredUpload {
// Check extensions
if (p != null && p.getFileName() != null) {
String fileName = p.getFileName().toString(); // The file name is
the farthest element from the root in the directory hierarchy.
+ // Prevents null byte in filename
+ if (fileName.contains("%00")
+ || fileName.contains("%0a")
+ || fileName.contains("%20")
+ || fileName.contains("%0d%0a")
+ || fileName.contains("/")
+ || fileName.contains("./")
+ || fileName.contains(".")) {
+ Debug.logError("Special bytes in filename are not allowed for
security reason", MODULE);
+ return false;
+ }
if
(DENIEDFILEEXTENSIONS.contains(FilenameUtils.getExtension(fileToCheck).toLowerCase()))
{
Debug.logError("This file extension is not allowed for
security reason", MODULE);
deleteBadFile(fileToCheck);
