This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new f4932aa Fixed: Stored XSS in webappPath parameter from
content/control/EditWebSite (OFBIZ-12584)
f4932aa is described below
commit f4932aa12d7faf51a7a1b90ee62de7b11dec9e28
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Mar 13 21:10:21 2022 +0100
Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite
(OFBIZ-12584)
Adds "webappPath" token in deniedWebShellTokens to definitely fix this issue
Also adds "assign" token for possible future Freemarker exploits
---
framework/security/config/security.properties | 2 +-
.../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 039cd5a..2f09db9 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -259,7 +259,7 @@ allowAllUploads=
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
page,<?php,exec(,alert(,\
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
- python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget ,static,\
+ python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,\
#-- Max line length for uploaded files, by default 10000
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 698d1c8..b4dadb8 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -62,7 +62,7 @@ public class SecurityUtilTest {
//
java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
page,<?php,exec(,alert(,\
//
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
// chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build\
- // python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget ,static,\
+ // python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
// ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,\
try {
@@ -125,6 +125,8 @@ public class SecurityUtilTest {
assertFalse(SecuredUpload.isValidText("class", allowed));
assertFalse(SecuredUpload.isValidText("wget ", allowed));
assertFalse(SecuredUpload.isValidText("static", allowed));
+ assertFalse(SecuredUpload.isValidText("assign", allowed));
+ assertFalse(SecuredUpload.isValidText("webappPath", allowed));
assertFalse(SecuredUpload.isValidText("ifconfig", allowed));
assertFalse(SecuredUpload.isValidText("route", allowed));
