This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new e26ff4cbf1 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
e26ff4cbf1 is described below
commit e26ff4cbf17fab2b5f046dbdf0dbfdf73f343d6e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Nov 29 07:42:42 2024 +0100
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Adds few new deniedWebShellTokens in security.properties
---
framework/security/config/security.properties | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index d3bd2a8c9c..dc756a100a 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -282,7 +282,7 @@
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
- execute,println,calc,touch,curl,base64, tcp ,4444,base32,
tr , xxd ,bash
+ execute,println,calc,touch,curl,base64, tcp ,4444,base32,
tr , xxd ,bash, od ,|od ,printf,echo
#-- SHA-1 versions of tokens containing (as String) at least one
deniedWebShellTokens
