This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 4cb8ff7097 Fixed: Disallow string concatenation in uploaded files
(OFBIZ-12794)
4cb8ff7097 is described below
commit 4cb8ff7097117eb8ebc9302808afdbc221f1fafe
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Apr 8 11:06:02 2023 +0200
Fixed: Disallow string concatenation in uploaded files (OFBIZ-12794)
An external security reporter brought to our attention that a signed up user
could upload a webshell using string concatenation. Of course there is no
reason
for a signed up user to upload a webshell. And anyway we don't create CVEs
for
signed up users trying our security.
Nevertheless we have decided to fix this possibility while allowing to
bypass it
using a new security property. The later can be useful when a file must
contain
a string concatenation, images files, seen as encoded texts, come to mind.
Thanks: so far unknown security reporter
---
framework/security/config/security.properties | 2 ++
.../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 2222fc22d8..54e91c0ee7 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -270,6 +270,8 @@
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate
+allowStringConcatenationInUploadedFiles=false
+
#-- Max line length for uploaded files, by default 10000
maxLineLength=
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index fb9fd68ed3..c9c52f7051 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -105,8 +105,16 @@ public class SecuredUpload {
private static final List<String> DENIEDFILEEXTENSIONS =
getDeniedFileExtensions();
private static final List<String> DENIEDWEBSHELLTOKENS =
getDeniedWebShellTokens();
private static final Integer MAXLINELENGTH =
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
+ private static final Boolean ALLOWSTRINGCONCATENATIONINUPLOADEDFILES =
+ UtilProperties.getPropertyAsBoolean("security",
"allowStringConcatenationInUploadedFiles", false);
public static boolean isValidText(String content, List<String> allowed)
throws IOException {
+ String contentWithoutSpaces = content.replace(" ", "");
+ if ((contentWithoutSpaces.contains("\"+\"") ||
contentWithoutSpaces.contains("'+'"))
+ && !ALLOWSTRINGCONCATENATIONINUPLOADEDFILES) {
+ Debug.logInfo("The uploaded file contains a string concatenation.
It can't be uploaded for security reason", MODULE);
+ return false;
+ }
return content != null ? DENIEDWEBSHELLTOKENS.stream().allMatch(token
-> isValid(content, token.toLowerCase(), allowed)) : false;
}
