You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2019/09/14 08:21:26 UTC

svn commit: r1866923 - in /ofbiz/branches/release16.11: ./ framework/webtools/groovyScripts/labelmanager/ViewFile.groovy framework/webtools/groovyScripts/log/FetchLogs.groovy

Author: jleroux
Date: Sat Sep 14 08:21:25 2019
New Revision: 1866923

URL: http://svn.apache.org/viewvc?rev=1866923&view=rev
Log:
"Applied fix from trunk framework for revision: 1866920" 
------------------------------------------------------------------------
r1866920 | jleroux | 2019-09-14 10:19:18 +0200 (sam. 14 sept. 2019) | 18 lignes

Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile
(OFBIZ-11196)

These are not really path traversal issues. 

We can't solve them using the traditional way to fix path traversal issues 
(ie normalising path). Because Fetchlogs and ViewFile are actually reading 
files and if you have the right to read these files then nothing will prevent 
you to read them. 

The problem is more what those requests are supposed to do. 
Fetchlogs is supposed to read a log in the log dir 
and ViewFile is supposed to read a file containing labels 
(ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to 
do. This is what is done in ViewFile and FetLogs Groovy files.

------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/framework/webtools/groovyScripts/labelmanager/ViewFile.groovy
    ofbiz/branches/release16.11/framework/webtools/groovyScripts/log/FetchLogs.groovy

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Sep 14 08:21:25 2019
@@ -10,6 +10,6 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1835871,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,18566
 17,1856667,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968,1859981,1860082,1860141,1860274,1860357,1860526,1860592,1860613,1860797,1861615,1861837,1861859,1861869,1861904,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1864716,1864881,1865811,1865852,1865883,1866259,1866834,1866890
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1835871,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,18566
 17,1856667,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968,1859981,1860082,1860141,1860274,1860357,1860526,1860592,1860613,1860797,1861615,1861837,1861859,1861869,1861904,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1864716,1864881,1865811,1865852,1865883,1866259,1866834,1866890,1866920
 /ofbiz/ofbiz-plugins/trunk:1860648
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/framework/webtools/groovyScripts/labelmanager/ViewFile.groovy
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/webtools/groovyScripts/labelmanager/ViewFile.groovy?rev=1866923&r1=1866922&r2=1866923&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/webtools/groovyScripts/labelmanager/ViewFile.groovy (original)
+++ ofbiz/branches/release16.11/framework/webtools/groovyScripts/labelmanager/ViewFile.groovy Sat Sep 14 08:21:25 2019
@@ -31,7 +31,7 @@ if (parameters.fileName) {
         UtilXml.writeXmlDocument(document, os, "UTF-8", true, true, 4)
         os.close()
         fileString = os.toString()
-    } else {
+    } else if (parameters.fileName.endsWith(".properties")) {
         fileString = FileUtil.readString("UTF-8", file)
     }
     rows = fileString.split(System.getProperty("line.separator"))

Modified: ofbiz/branches/release16.11/framework/webtools/groovyScripts/log/FetchLogs.groovy
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/webtools/groovyScripts/log/FetchLogs.groovy?rev=1866923&r1=1866922&r2=1866923&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/webtools/groovyScripts/log/FetchLogs.groovy (original)
+++ ofbiz/branches/release16.11/framework/webtools/groovyScripts/log/FetchLogs.groovy Sat Sep 14 08:21:25 2019
@@ -42,7 +42,7 @@ for (int i = 0; i < listLogFiles.length;
 }
 context.listLogFileNames = listLogFileNames
 
-if (parameters.logFileName) {
+if (parameters.logFileName && logFileName.contains(parameters.logFileName)) {
     List logLines = []
     try {
         File logFile = FileUtil.getFile(ofbizLogDir.concat(parameters.logFileName))