(ofbiz-framework) branch trunk updated: Fixed: Avoid exploit using `..` special name in request uri.

Fri, 12 Jan 2024 07:35:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

pgil pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new d17d06fd7c Fixed: Avoid exploit using `..` special name in request uri.
d17d06fd7c is described below

commit d17d06fd7c654621446320a98b45b3ebb859c648
Author: Gil Portenseigne <gil.portensei...@nereide.fr>
AuthorDate: Fri Jan 12 16:08:05 2024 +0100

    Fixed: Avoid exploit using `..` special name in request uri.
    
    Before, a user could bypass webapp filter rules using `..` notation
    allowing to access to the complete docBase provided by tomcat.
    
    Example `w3m https://localhost:8443/partymgr/control/../a.txt` could be
    used to access `a.txt` file in partymgr webapp, even though `control` is
    needed to pass filter rules.
    
    Even if there is no possibility to remotely define files in docBase,
    this patch ensure that no exploit using `..` notation is possible.
---
 .../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 9256afc11d..a22888b9f5 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -19,6 +19,8 @@
 package org.apache.ofbiz.webapp.control;
 
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
@@ -158,6 +160,13 @@ public class ControlFilter extends HttpFilter {
                 }
             }
 
+            // normalize to remove ".." special name usage to bypass webapp 
filter
+            try {
+                uri = new URI(uri).normalize().toString();
+            } catch (URISyntaxException e) {
+                throw new RuntimeException(e);
+            }
+
             // Check if the requested URI is allowed.
             if (allowedPaths.stream().anyMatch(uri::startsWith)) {
                 try {

Reply via email to