[ofbiz-framework] 02/03: Fixed: Secure the uploads (OFBIZ-12080)

Wed, 23 Feb 2022 03:02:07 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 0de23fa780b4eeee0c3c20eb13993881f7f014d5
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Feb 23 09:33:17 2022 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Adds some tokens in security.properties::deniedWebShellTokens
    Updates SecurityUtilTest::webShellTokensTesting accordingly
    
    # Conflicts handled by hand
     framework/security/config/security.properties
     
framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
---
 framework/security/config/security.properties | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 70fb232..9614d7f 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -221,11 +221,11 @@ allowAllUploads=
 #-- "freemarker" should be OK, should not be used in Freemarker templates, not 
part of the syntax.
 #-- Else "template.utility.Execute" is a good replacement but not as much 
catching, who knows...
 #-- If you are sure you are safe for a token you can remove it, etc.
-deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(\
+deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(,\
                      
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,\
-                     python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget,\
-                     
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
+                     python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget ,static,\
+                     ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
 
 
 #-- Max line length for uploaded files, by default 10000

Reply via email to