(ofbiz-framework) branch trunk updated: Improved: OFBiz doesn't allow upload. (OFBIZ-12929)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 93c8c3d1a9 Improved: OFBiz doesn't allow upload. (OFBIZ-12929)
93c8c3d1a9 is described below

commit 93c8c3d1a98ae848ac64edae29d8e1f5898bccb8
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Mar 13 18:16:37 2024 +0100

    Improved: OFBiz doesn't allow upload. (OFBIZ-12929)
    
    More information about upload of MS Office files
---
 framework/common/config/SecurityUiLabels.xml           |  4 ++--
 .../java/org/apache/ofbiz/security/SecuredUpload.java  | 18 +++++++++++++++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/framework/common/config/SecurityUiLabels.xml 
b/framework/common/config/SecurityUiLabels.xml
index 326b2d7f71..f4a7e02a10 100644
--- a/framework/common/config/SecurityUiLabels.xml
+++ b/framework/common/config/SecurityUiLabels.xml
@@ -768,8 +768,8 @@
         <value xml:lang="zh-TW">SecurityViewPermissionError 你沒有權限檢視本頁面. 
(需要"SECURITY_VIEW" 或 "SECURITY_ADMIN")</value>
     </property>
     <property key="SupportedFileFormatsIncludingSvg">
-        <value xml:lang="en">For security reason only valid files of supported 
image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe 
names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 
dot, name and extension not empty) and contents are accepted.</value>
-        <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers 
valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers 
SVG, PDF, et les fichiers ZIP ou texte avec des noms sûrs (uniquement des 
caractères alphanumériques, 1 seul point, nom et extension non vides) et aux 
contenus sûrs sont acceptés.</value>
+        <value xml:lang="en">For security reason only valid files of supported 
image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files with safe 
names (only Alpha-Numeric characters, hyphen, underscore and spaces, only 1 
dot, name and extension not empty) and safe contents are accepted. For Ms 
Office files try to transform a Word file to PDF and an Excel file to CSV. For 
other file types try PDF.</value>
+        <value xml:lang="fr">Pour des raisons de sécurité, seuls les fichiers 
valides de formats d'image pris en charge (GIF, JPEG, PNG, TIFF), les fichiers 
SVG, PDF, et les fichiers ZIP ou texte avec des noms sûrs (uniquement des 
caractères alphanumériques, 1 seul point, nom et extension non vides) et aux 
contenus sûrs sont acceptés. Pour les fichiers Ms Office, essayez de 
transformer un fichier Word en PDF et un fichier Excel en CSV. Pour d'autres 
types de fichiers, essayez le PDF.</value>
     </property>
      <property key="SupportedFileFormats">
         <value xml:lang="en">For security reason only valid files of supported 
image formats (GIF, JPEG, PNG, TIFF), PDF or text files with safe names (only 
Alpha-Numeric characters, hyphen, underscore and spaces, only 1 dot, name and 
extension not empty) and contents are accepted.</value>
diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 79c5ccd377..5edc8ca555 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -236,10 +236,21 @@ public class SecuredUpload {
 
         // Check the file content
 
-        // Check max line length, default 10000.
-        // PDF files are not concerned because they may contain several 
CharSet encodings
-        // hence no possibility to use Files::readAllLines that needs a sole 
CharSet
+        /* Check max line length, default 10000.
+         PDF files are not concerned because they may contain several CharSet 
encodings
+         hence no possibility to use Files::readAllLines that needs a sole 
CharSet
+         MsOffice files are not accepted. This is why:
+         
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-529/Microsoft-Word.html
+         https://www.cvedetails.com/version-list/26/410/1/Microsoft-Excel.html
+         You name it...
+        */
         if (!isPdfFile(fileToCheck)) {
+            if 
(getMimeTypeFromFileName(fileToCheck).equals("application/x-tika-msoffice")) {
+                Debug.logError("File : " + fileToCheck + ", is a MS Office 
file."
+                        + " It can't be uploaded for security reason. Try to 
transform a Word file to PDF, "
+                        + "and an Excel file to CSV. For other file types try 
PDF.", MODULE);
+                return false;
+            }
             if (!checkMaxLinesLength(fileToCheck)) {
                 Debug.logError("For security reason lines over " + 
MAXLINELENGTH.toString() + " are not allowed", MODULE);
                 return false;
@@ -848,6 +859,7 @@ public class SecuredUpload {
                 }
             }
         } catch (IOException e) {
+            Debug.logError(e, "File : " + fileToCheck + ", can't be uploaded 
for security reason", MODULE);
             return false;
         }
         return true;