(ofbiz-framework) branch trunk updated: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Wed, 27 Nov 2024 23:48:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new c05b9d876c Improved: Prevent URL parameters manipulation (OFBIZ-13147)
c05b9d876c is described below

commit c05b9d876c599f455702d1a327ae950cb256b5c3
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Nov 28 08:44:41 2024 +0100

    Improved: Prevent URL parameters manipulation (OFBIZ-13147)
    
    Add ROT13, and improves few short deniedWebShellTokens by surrounding them 
by
    spaces. It's to avoid collisions while loading image files
---
 framework/security/config/security.properties | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index c11ec8a660..efd6e1072c 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -274,12 +274,15 @@ csvformat=CSVFormat.DEFAULT
 #--
 #-- If you are sure you are safe for a token you can remove it, etc.
 #-- If you add a token beware that it does not content ",". It's the separator.
+#--
+#-- If you cross issues while loading an image file because of a token found 
there, you may try to surround the string by spaces, as " tr " below.
+#-- Actually most of the tokens should but it's now a bit late for me. I mean 
to test all of them...
 deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body 
,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
                     
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                     chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
                     python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget 
,static,assign,webappPath,\
                     ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
-                    
execute,println,calc,touch,curl,base64,tcp,4444,base32,xxd,bash
+                    execute,println,calc,touch,curl,base64, tcp ,4444,base32, 
tr , xxd ,bash
 
 
 #-- SHA-1 versions of tokens containing (as String) at least one 
deniedWebShellTokens

Reply via email to