This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 3693b544c2 Fixed: Make sure no PDF files contain unwanted attachments
can be uploaded (OFBIZ-12926)
3693b544c2 is described below
commit 3693b544c21fd1ffc164137594636e4e35c27fe2
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Mar 14 09:01:54 2024 +0100
Fixed: Make sure no PDF files contain unwanted attachments can be uploaded
(OFBIZ-12926)
I was unsure about the possibility to make a XXE attack without a DOCTYPE.
It's possible as exemplified at
https://github.com/payloadbox/xxe-injection-payload-list#user-content-xxe-xxe-inside-soap-example
So I decided to change the allowZUGFeRDnotSecure security property to
"false".
Of course it's still possible to bypass this OOTB property.
---
framework/security/config/security.properties | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 701d07afb3..94f4c4a296 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -287,8 +287,8 @@ maxLineLength=
# Allow uploading non-empty pdf files as long as they are ZUGFeRD compliant
allowZUGFeRDCompliantUpload=true
-# Allow uploading ZUGFeRD compliant files with no XML header and no schema
-allowZUGFeRDnotSecure=true
+# Allow uploading ZUGFeRD compliant files with no XML header and no schema
(aka DOCTYPE)
+allowZUGFeRDnotSecure=false
#-- Popup last-visited time from database after user has logged in.
#-- So users can know of any unauthorised access to their accounts.
