This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new faf6032b01 Fixed: Issues when uploading SVG files (OFBIZ-13192)
faf6032b01 is described below
commit faf6032b015a7be1380281a784253d1790ac5ff6
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Dec 9 06:58:05 2024 +0100
Fixed: Issues when uploading SVG files (OFBIZ-13192)
* Bypasses CSV file type checking when the file contains "</svg>"
* Change "maxLineLength" property in security.properties from null to 10000
and
allows 0 bypass the "maxLineLength" check
Note: SVG files are text files and may contain deniedWebShellTokens. If you
need
to upload SVG files the easiest way is to remove the used tokens from
deniedWebShellTokens.
---
framework/security/config/security.properties | 4 ++--
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 13 ++++++++++---
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index dd18fbd6d4..df061f5a4e 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -254,8 +254,8 @@ allowedTokens=$SHA$OFBiz$2naHrANKTniFcgLJk4oXr3IRQ48
allowStringConcatenationInUploadedFiles=false
-#-- Max line length for uploaded files, by default 10000
-maxLineLength=
+#-- Max line length for uploaded files, by default 10000. You can use 0 to
allow any line length.
+maxLineLength=0
#-- Popup last-visited time from database after user has logged in.
#-- So users can know of any unauthorised access to their accounts.
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 1663a0b2de..5d557ed80a 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -108,7 +108,7 @@ public class SecuredUpload {
private static final String MODULE = SecuredUpload.class.getName();
private static final List<String> DENIEDFILEEXTENSIONS =
getDeniedFileExtensions();
private static final List<String> DENIEDWEBSHELLTOKENS =
getDeniedWebShellTokens();
- private static final Integer MAXLINELENGTH =
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
+ private static final Integer MAXLINELENGTH =
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 0);
private static final Boolean ALLOWSTRINGCONCATENATIONINUPLOADEDFILES =
UtilProperties.getPropertyAsBoolean("security",
"allowStringConcatenationInUploadedFiles", false);
@@ -569,8 +569,12 @@ public class SecuredUpload {
}
// cf.
https://commons.apache.org/proper/commons-csv/apidocs/org/apache/commons/csv/CSVFormat.html
- try (CSVParser parser = new CSVParser(in, cvsFormat)) {
- parser.getRecords();
+ if (!content.contains("</svg>")) {
+ try (CSVParser parser = new CSVParser(in, cvsFormat)) {
+ parser.getRecords();
+ }
+ } else {
+ Debug.logInfo("The file " + fileName + " is not a valid CSV file.
For security reason it's not accepted as a such file", MODULE);
}
return isValidTextFile(fileName, false); // Validate content to
prevent webshell
}
@@ -849,6 +853,9 @@ public class SecuredUpload {
private static boolean checkMaxLinesLength(String fileToCheck) {
+ if (MAXLINELENGTH == 0) {
+ return true;
+ }
try {
File file = new File(fileToCheck);
List<String> lines = FileUtils.readLines(file,
Charset.defaultCharset());
