This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 7c2487bc3f Improved: Adds some tokens to deniedWebShellTokens and
updates webShellTokensTesting
7c2487bc3f is described below
commit 7c2487bc3f1a6ec472585c27d7ceb5ca19471387
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Jun 7 11:28:24 2024 +0200
Improved: Adds some tokens to deniedWebShellTokens and updates
webShellTokensTesting
---
framework/security/config/security.properties | 2 +-
.../apache/ofbiz/security/SecurityUtilTest.java | 22 ++++++++++++++--------
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 41bc226920..2e8a42c420 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -278,7 +278,7 @@
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
- execute,println,calc,calculate,touch
+ execute,println,calc,calculate,touch,curl
allowStringConcatenationInUploadedFiles=false
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 75730a3fcc..6f46591fc6 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -58,13 +58,14 @@ public class SecurityUtilTest {
@Test
public void webShellTokensTesting() {
- // Currently used
- // java.,beans,freemarker,<script,javascript,<body,body
<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
- //
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
- // chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build\
- // python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
- // ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate
-
+ /* Currently used
+ java.,beans,freemarker,<script,javascript,<body,body
,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
+
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
+ chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
+ python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
+ ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
+ execute,println,calc,calculate,touch,curl
+ */
try {
List<String> allowed = new ArrayList<>();
allowed.add("getfilename");
@@ -146,7 +147,12 @@ public class SecurityUtilTest {
assertFalse(SecuredUpload.isValidText("thread", allowed));
assertFalse(SecuredUpload.isValidText("require", allowed));
assertFalse(SecuredUpload.isValidText("gzdeflate", allowed));
-
+ assertFalse(SecuredUpload.isValidText("execute", allowed));
+ assertFalse(SecuredUpload.isValidText("println", allowed));
+ assertFalse(SecuredUpload.isValidText("calc", allowed));
+ assertFalse(SecuredUpload.isValidText("calculate", allowed));
+ assertFalse(SecuredUpload.isValidText("curl", allowed));
+ assertFalse(SecuredUpload.isValidText("touch", allowed));
} catch (IOException e) {
fail(String.format("IOException occured : %s", e.getMessage()));
}
