(ofbiz-framework) 02/03: Improved: Prevent special encoded characters sequences in URLs (OFBIZ-13092)

Mon, 20 May 2024 02:04:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit d33ce31012c97056f6e755261905e0950c96489d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed May 15 12:30:46 2024 +0200

    Improved: Prevent special encoded characters sequences in URLs (OFBIZ-13092)
    
    Better avoid special encoded characters sequences
    Improves deniedWebShellTokens in security.properties
---
 framework/security/config/security.properties                     | 2 +-
 .../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java  | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 1dfb43cdd9..f7dbd25c12 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -240,7 +240,7 @@ 
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
                      python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget 
,static,assign,webappPath,\
                      ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
-                     execute,println,calc
+                     execute,println,calc,touch,calculate
 
 #-- Max line length for uploaded files, by default 10000
 maxLineLength=
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 235019f7d4..7c110155dd 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -135,9 +135,13 @@ public class ControlFilter implements Filter {
 
             // Reject wrong URLs
             try {
-                String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString()).normalize().toString();
+                String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString())
+                        .normalize().toString()
+                        .replaceAll(";", "")
+                        .replaceAll("(?i)%2e", "");
                 if (!((HttpServletRequest) 
request).getRequestURL().toString().equals(url)) {
-                    throw new RuntimeException();
+                    Debug.logError("For security reason this URL is not 
accepted", module);
+                    throw new RuntimeException("For security reason this URL 
is not accepted");
                 }
             } catch (URISyntaxException e) {
                 throw new RuntimeException(e);

Reply via email to