This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 2a60c0b50a Improved: Prevent URL parameters manipulation (OFBIZ-13147)
2a60c0b50a is described below
commit 2a60c0b50a147ddc2ff2b58d7955928c0f3cea44
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Oct 23 09:16:04 2024 +0200
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Handles Base64 encoded reverse shells
Conflicts handled by hand
---
framework/security/config/security.properties | 2 +-
.../apache/ofbiz/webapp/control/ControlFilter.java | 21 ++++++++++++++-------
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index 0a0cc534fa..cbc3d54672 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -240,7 +240,7 @@
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
- execute,println,calc,touch,calculate,curl
+ execute,println,calc,touch,calculate,curl,base64
#-- Max line length for uploaded files, by default 10000
maxLineLength=
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index e85f2d899b..93de6914af 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -22,6 +22,8 @@ import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
+import java.util.Base64;
+import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
@@ -37,6 +39,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.GenericValue;
+import org.apache.ofbiz.security.SecuredUpload;
import org.apache.ofbiz.security.SecurityUtil;
/*
@@ -137,14 +140,18 @@ public class ControlFilter implements Filter {
// Reject wrong URLs
if
(!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
- String queryString = httpRequest.getQueryString();
- if (queryString != null) {
- queryString = URLDecoder.decode(queryString, "UTF-8");
- if (UtilValidate.isUrl(queryString)) {
- Debug.logError("For security reason this URL is not
accepted", module);
- throw new RuntimeException("For security reason this
URL is not accepted");
- }
+ String queryString = httpRequest.getQueryString();
+ if (queryString != null) {
+ queryString = URLDecoder.decode(queryString, "UTF-8");
+ if (UtilValidate.isUrl(queryString)
+ || !SecuredUpload.isValidText(queryString,
Collections.emptyList())
+ ||
!SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(),
Collections.emptyList())
+ ||
!SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(),
Collections.emptyList())
+ ||
!SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(),
Collections.emptyList())) { // ...
+ Debug.logError("For security reason this URL is not
accepted", module);
+ throw new RuntimeException("For security reason this URL
is not accepted");
}
+ }
try {
String url = new URI(((HttpServletRequest)
request).getRequestURL().toString())
