This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 4bf9476031 Fixed: Issues when uploading SVG files (OFBIZ-13192)
4bf9476031 is described below
commit 4bf94760314246f06db3f6fadca3d68b6b8cfc20
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Dec 9 06:58:05 2024 +0100
Fixed: Issues when uploading SVG files (OFBIZ-13192)
* Bypasses CSV file type checking when the file contains "</svg>"
* Change "maxLineLength" property in security.properties from null to 10000
and
allows 0 bypass the "maxLineLength" check
Note: SVG files are text files and may contain deniedWebShellTokens. If you
need
to upload SVG files the easiest way is to remove the used tokens from
deniedWebShellTokens.
---
framework/security/config/security.properties | 4 ++--
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 13 ++++++++++---
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index dc756a100a..ea1ea9587b 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -292,8 +292,8 @@ allowedTokens=$SHA$OFBiz$2naHrANKTniFcgLJk4oXr3IRQ48
allowStringConcatenationInUploadedFiles=false
-#-- Max line length for uploaded files, by default 10000
-maxLineLength=
+#-- Max line length for uploaded files, by default 10000. You can use 0 to
allow any line length.
+maxLineLength=0
# Allow uploading non-empty pdf files as long as they are ZUGFeRD compliant
allowZUGFeRDCompliantUpload=true
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 70c7a81e69..7fa9cfa64e 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -111,7 +111,7 @@ public class SecuredUpload {
private static final String MODULE = SecuredUpload.class.getName();
private static final List<String> DENIEDFILEEXTENSIONS =
getDeniedFileExtensions();
private static final List<String> DENIEDWEBSHELLTOKENS =
getDeniedWebShellTokens();
- private static final Integer MAXLINELENGTH =
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
+ private static final Integer MAXLINELENGTH =
UtilProperties.getPropertyAsInteger("security", "maxLineLength", 0);
private static final Boolean ALLOWSTRINGCONCATENATIONINUPLOADEDFILES =
UtilProperties.getPropertyAsBoolean("security",
"allowStringConcatenationInUploadedFiles", false);
@@ -619,8 +619,12 @@ public class SecuredUpload {
}
// cf.
https://commons.apache.org/proper/commons-csv/apidocs/org/apache/commons/csv/CSVFormat.html
- try (CSVParser parser = new CSVParser(in, cvsFormat)) {
- parser.getRecords();
+ if (!content.contains("</svg>")) {
+ try (CSVParser parser = new CSVParser(in, cvsFormat)) {
+ parser.getRecords();
+ }
+ } else {
+ Debug.logInfo("The file " + fileName + " is not a valid CSV file.
For security reason it's not accepted as a such file", MODULE);
}
return isValidTextFile(fileName, false); // Validate content to
prevent webshell
}
@@ -899,6 +903,9 @@ public class SecuredUpload {
private static boolean checkMaxLinesLength(String fileToCheck) {
+ if (MAXLINELENGTH == 0) {
+ return true;
+ }
try {
File file = new File(fileToCheck);
List<String> lines = FileUtils.readLines(file,
Charset.defaultCharset());
