[ofbiz-framework] 02/02: Fixed: Disallow string concatenation in uploaded files (OFBIZ-12794)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit f65b24aed02738273a2ee243ccfad5a5469f4e58
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Apr 8 11:06:02 2023 +0200

    Fixed: Disallow string concatenation in uploaded files (OFBIZ-12794)
    
    An external security reporter brought to our attention that a signed up user
    could upload a webshell using string concatenation. Of course there is no 
reason
    for a signed up user to upload a webshell. And anyway we don't create CVEs 
for
    signed up users trying our security.
    
    Nevertheless we have decided to fix this possibility while allowing to 
bypass it
    using a new security property. The later can be useful when a file must 
contain
    a string concatenation, images files, seen as encoded texts, come to mind.
    
    Thanks: so far unknown security reporter
---
 .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java       | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 1b0a851761..c9c52f7051 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -105,12 +105,13 @@ public class SecuredUpload {
     private static final List<String> DENIEDFILEEXTENSIONS = 
getDeniedFileExtensions();
     private static final List<String> DENIEDWEBSHELLTOKENS = 
getDeniedWebShellTokens();
     private static final Integer MAXLINELENGTH = 
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
-    private static final Boolean allowStringConcatenationInUploadedFiles = 
UtilProperties.getPropertyAsBoolean("security", 
"allowStringConcatenationInUploadedFiles", false);
+    private static final Boolean ALLOWSTRINGCONCATENATIONINUPLOADEDFILES =
+            UtilProperties.getPropertyAsBoolean("security", 
"allowStringConcatenationInUploadedFiles", false);
 
     public static boolean isValidText(String content, List<String> allowed) 
throws IOException {
         String contentWithoutSpaces = content.replace(" ", "");
         if ((contentWithoutSpaces.contains("\"+\"") || 
contentWithoutSpaces.contains("'+'"))
-                && !allowStringConcatenationInUploadedFiles) {
+                && !ALLOWSTRINGCONCATENATIONINUPLOADEDFILES) {
             Debug.logInfo("The uploaded file contains a string concatenation. 
It can't be uploaded for security reason", MODULE);
             return false;
         }