This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new f289a80 Fixed: Secure the uploads (OFBIZ-12080)
f289a80 is described below
commit f289a807492cbb9463c351cd28e6e3bea3dfaedc
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Feb 27 15:42:10 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Just occurred to my mind that I forgot to lower case the tokens in
DENIEDWEBSHELLTOKENS when checking with SecuredUpload::isValidText
---
.../security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 10504d9..ce4419c 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -104,7 +104,7 @@ public class SecuredUpload {
private static final Integer MAXLINELENGTH =
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
public static boolean isValidText(String content, List<String> allowed)
throws IOException {
- return content != null ? DENIEDWEBSHELLTOKENS.stream().allMatch(token
-> isValid(content, token, allowed)) : false;
+ return content != null ? DENIEDWEBSHELLTOKENS.stream().allMatch(token
-> isValid(content, token.toLowerCase(), allowed)) : false;
}
public static boolean isValidFileName(String fileToCheck, Delegator
delegator) throws IOException {
