(ofbiz-framework) branch release18.12 updated: Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFBIZ-13092)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new e5ccc13a9b Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading 
to RCE (OFBIZ-13092)
e5ccc13a9b is described below

commit e5ccc13a9b4d52790dd15659e8ddd0cd0c95ff9c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Jan 17 09:32:34 2025 +0100

    Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE 
(OFBIZ-13092)
    
    Adds a StringUtil::splitWithStringSeparator. I crossed issue using
    StringUtil::split it's said that <<delim the delimiter character(s)>>
    But it does not work as expected with several character(s).
    
    Removes an allowedToken and add 3 others.
    
    In ControlFilter::doFilter uses splitWithStringSeparator instead of split.
    Uses decoded requestUri everywhere.
    
    In ControlFilter::doFilter uses splitWithStringSeparator instead of split.
    Uses decoded requestUri everywhere, and to split query string
    "&amp;" rather than "Y&amp;".
    
    Not backported (impossible), all by hand
---
 .../main/java/org/apache/ofbiz/base/util/StringUtil.java   | 14 ++++++++++++++
 framework/security/config/security.properties              |  2 +-
 .../org/apache/ofbiz/webapp/control/ControlFilter.java     |  5 +++--
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/StringUtil.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/StringUtil.java
index 717c5c9c39..dab48bb2b0 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/StringUtil.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/StringUtil.java
@@ -21,6 +21,7 @@ package org.apache.ofbiz.base.util;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -157,6 +158,19 @@ public class StringUtil {
         return splitList;
     }
 
+    /**
+     * Splits a String on a String Separator into a List of Strings.
+     * @param str the String to split
+     * @param separator the String Separator to split the str String
+     * @return a list of Strings or null if one of the parameters is null
+     */
+    public static List<String> splitWithStringSeparator(String str, String 
separator) {
+        if (str == null || separator == null) {
+            return null;
+        }
+        return Arrays.asList(str.split(separator));
+    }
+
     /**
      * Splits a String on a delimiter into a List of Strings.
      * @param str the String to split
diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 1204f9bd05..73bf5a910f 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -250,7 +250,7 @@ 
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
 #-- SHA-1 versions of tokens containing (as String) at least one 
deniedWebShellTokens
 #-- This is notably used to allow special values in query parameters.
 #-- If you add a token beware that it does not content ",". It's the separator.
-allowedTokens=$SHA$OFBiz$2naHrANKTniFcgLJk4oXr3IRQ48,$SHA$OFBiz$evAu1vcT5d1tjVXFTeVXU-6aNz8,$SHA$OFBiz$-MaMN-Dui294v86UT1T8BkG3v8k
+allowedTokens=$SHA$OFBiz$2naHrANKTniFcgLJk4oXr3IRQ48,$SHA$OFBiz$evAu1vcT5d1tjVXFTeVXU-6aNz8,$SHA$OFBiz$ORZaKvS7a0ee4gZb9P5hHuHnEyE,$SHA$OFBiz$T5DBu6tPuZzDCfYNci_23SrUa3Q,$SHA$OFBiz$BXhGVix7t3kfHrhNB0z9I0H9_rQ
 
 allowStringConcatenationInUploadedFiles=false
 
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 19d0697806..4b690d1a4e 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -171,11 +171,12 @@ public class ControlFilter implements Filter {
             if 
(!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
                 boolean bypass = true;
                 if (queryString != null) {
-                    bypass = 
isAnyAllowedToken(StringUtil.split(queryString.toLowerCase(), "Y&amp;"), 
ALLOWEDTOKENS);
+                    List<String> queryStringList = 
StringUtil.splitWithStringSeparator(queryString.toLowerCase(), "&amp;");
+                    bypass = isAnyAllowedToken(queryStringList, ALLOWEDTOKENS);
                 }
                 if (requestUri != null && !bypass) { // "null" allows tests 
with Mockito. ControlFilterTests sends null.
                     try {
-                        String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString())
+                        String url = new URI(requestUri)
                                 .normalize().toString()
                                 .replaceAll(";", "")
                                 .replaceAll("(?i)%2e", "");