This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 11986593b668661d748789154a6052ef4e1ab1c6
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed May 15 17:16:29 2024 +0200
Improved: Prevent special encoded characters sequences in URLs (OFBIZ-13092)
Better avoid special encoded characters sequences
Improves deniedWebShellTokens in security.properties
---
framework/security/config/security.properties | 2 +-
.../apache/ofbiz/webapp/control/ControlFilter.java | 23 ++++++++++------------
2 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index a5fb32f108..41bc226920 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -278,7 +278,7 @@
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
- execute,println,calc
+ execute,println,calc,calculate,touch
allowStringConcatenationInUploadedFiles=false
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 3110773989..b1f3dfd976 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -159,27 +159,24 @@ public class ControlFilter extends HttpFilter {
return;
}
}
-
// Reject wrong URLs
- if (req.getRequestURL() != null) { // Allow tests with Mockito.
ControlFilterTests send null
+ String initialURI = req.getRequestURI();
+ if (initialURI != null) { // Allow tests with Mockito.
ControlFilterTests send null
try {
- String url = new
URI(req.getRequestURL().toString()).normalize().toString();
- if (!req.getRequestURL().toString().equals(url)) {
- throw new RuntimeException();
+ String uRIFiltered = new URI(initialURI)
+ .normalize().toString()
+ .replaceAll(";", "")
+ .replaceAll("(?i)%2e", "") // . encoded
+ ;
+ if (!initialURI.equals(uRIFiltered)) {
+ Debug.logError("For security reason this URL is not
accepted", MODULE);
+ throw new RuntimeException("For security reason this URL
is not accepted");
}
} catch (URISyntaxException e) {
throw new RuntimeException(e);
}
}
-
- // normalize to remove ".." special name usage to bypass webapp
filter
- try {
- uri = new URI(uri).normalize().toString();
- } catch (URISyntaxException e) {
- throw new RuntimeException(e);
- }
-
// Check if the requested URI is allowed.
if (allowedPaths.stream().anyMatch(uri::startsWith)) {
try {
