You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/12/07 18:50:11 UTC
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from c164494 Fixed: Make locale available for DateFindField and DateTimeField macros (OFBIZ-12086)
new 4481f37 Fixed: Secure the uploads (OFBIZ-12080)
new b549b9a Fixed: Label issue on List Companies page (OFBIZ-12023)
new fdeedf2 Improved: Adds the HTML <input> accept Attribute in form widgets and Freemaker templates (OFBIZ-12049)
new 100810f Fixed: Secure the uploads (OFBIZ-12080)
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
applications/accounting/widget/GlSetupForms.xml | 8 +-
.../content/template/website/WebSiteCMSContent.ftl | 19 ++++-
.../datamodel/data/seed/ContentSeedData.xml | 15 +++-
framework/security/config/security.properties | 2 +-
.../org/apache/ofbiz/security/SecuredUpload.java | 96 +++++++++++++++++-----
5 files changed, 108 insertions(+), 32 deletions(-)
[ofbiz-framework] 02/04: Fixed: Label issue on List Companies page
(OFBIZ-12023)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit b549b9aa1947981d7ac9040efb9bc9ce95354e74
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Dec 6 19:06:26 2020 +0100
Fixed: Label issue on List Companies page (OFBIZ-12023)
Navigate to URL: 'accounting/control/ListCompanies'
Under the companies list, the 2nd column has button for account
The System is not showing proper label in French.
This issue is occurring due to the hyperlink title is not supporting character
encoding for special characters. Please track progress under OFBIZ-12026.
---
applications/accounting/widget/GlSetupForms.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/applications/accounting/widget/GlSetupForms.xml b/applications/accounting/widget/GlSetupForms.xml
index f4a66e3..6b3ebf6 100644
--- a/applications/accounting/widget/GlSetupForms.xml
+++ b/applications/accounting/widget/GlSetupForms.xml
@@ -18,7 +18,7 @@ specific language governing permissions and limitations
under the License.
-->
-<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://ofbiz.apache.org/Widget-Form" xsi:schemaLocation="http://ofbiz.apache.org/Widget-Form http://ofbiz.apache.org/dtds/widget-form.xsd">
<form name="ListCompanies" type="list" title="Internal Organizations" list-name="parties"
@@ -30,7 +30,7 @@ under the License.
</hyperlink>
</field>
<field name="accounting" title=" " use-when="hasBasicPermission" widget-style="buttontext">
- <hyperlink description="${uiLabelMap.AccountingAccounting}" target="PartyAccountsSummary">
+ <hyperlink description="${uiLabelMap.AccountingAccounting}" target="PartyAccountsSummary" target-type="plain">
<parameter param-name="organizationPartyId" from-field="partyId"/>
</hyperlink>
</field>
@@ -375,7 +375,7 @@ under the License.
</field>
<field name="errorGlJournalId" tooltip="${groovy: import org.apache.ofbiz.base.util.UtilProperties;
if((partyAcctgPreference==null&&aggregatedPartyAcctgPreference!= null&&aggregatedPartyAcctgPreference.get('errorGlJournalId')!=null) ||
- (partyAcctgPreference!=null&&partyAcctgPreference.get('errorGlJournalId')==null&&aggregatedPartyAcctgPreference!= null&&aggregatedPartyAcctgPreference.get('errorGlJournalId')!=null))return
+ (partyAcctgPreference!=null&&partyAcctgPreference.get('errorGlJournalId')==null&&aggregatedPartyAcctgPreference!= null&&aggregatedPartyAcctgPreference.get('errorGlJournalId')!=null))return
(UtilProperties.getMessage('AccountingUiLabels', 'AccountingInheritedValue', locale))}">
<drop-down allow-empty="true">
<entity-options entity-name="GlJournal" key-field-name="glJournalId" description="${glJournalName} [${glJournalId}]">
@@ -1188,7 +1188,7 @@ under the License.
<field name="glAccountClassId"><display-entity entity-name="GlAccountClass" key-field-name="glAccountClassId"/></field>
<field name="glResourceTypeId"><display-entity entity-name="GlResourceType" key-field-name="glResourceTypeId"/></field>
<field name="glXbrlClassId"><display-entity entity-name="GlXbrlClass" key-field-name="glXbrlClassId"/></field>
- <field name="parentGlAccountId"><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${parentGlAccountId}"/></field>
+ <field name="parentGlAccountId"><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${parentGlAccountId}"/></field>
<field name="accountCode" ><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${accountCode}"/></field>
<field name="accountName" ><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${accountName}"/></field>
<field name="description"><display description="${description}"/></field>
[ofbiz-framework] 01/04: Fixed: Secure the uploads (OFBIZ-12080)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 4481f373ca45514c1e6fb86f1f1d2c6204f7a65a
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Dec 6 18:47:12 2020 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Handles audio and video formats supported by Tika.
Adds few new audio and video formats in seed data.
AFAIK there are no ways to embed a webshell in an audio or video file. So I did
not sophisticate the validation, just rely on Tika.
I have also fixed bugs in SecuredUpload: in isValidSvgFile and
isValidImageIncludingSvgFile
---
.../datamodel/data/seed/ContentSeedData.xml | 10 ++-
.../org/apache/ofbiz/security/SecuredUpload.java | 94 +++++++++++++++++-----
2 files changed, 82 insertions(+), 22 deletions(-)
diff --git a/applications/datamodel/data/seed/ContentSeedData.xml b/applications/datamodel/data/seed/ContentSeedData.xml
index fcaa664..54472c1 100644
--- a/applications/datamodel/data/seed/ContentSeedData.xml
+++ b/applications/datamodel/data/seed/ContentSeedData.xml
@@ -405,10 +405,15 @@ under the License.
<!-- audio mime types -->
<MimeType mimeTypeId="audio/basic" description="Basic Audio"/>
- <MimeType mimeTypeId="audio/mpeg" description="MPEG Audio"/>
+ <MimeType mimeTypeId="audio/mpeg" description="MP3 Audio"/>
+ <MimeType mimeTypeId="audio/mp4" description="MP4 Audio"/>
<MimeType mimeTypeId="audio/x-ms-wax" description="WAX Audio"/>
- <MimeType mimeTypeId="audio/ogg" description="OGG Audio"/>
<MimeType mimeTypeId="audio/wav" description="WAV Audio"/>
+ <MimeType mimeTypeId="audio/ogg" description="OGG Audio"/>
+ <MimeType mimeTypeId="audio/x-ogg" description="OGG Audio"/>
+ <MimeType mimeTypeId="audio/vorbis" description="Vorbis Audio"/>
+ <MimeType mimeTypeId="audio/x-flac" description="FLAC Audio"/>
+ <MimeType mimeTypeId="audio/flac" description="FLAC Audio"/>
<!-- image mime types -->
<MimeType mimeTypeId="image/jpeg" description="JPEG/JPG Image"/>
@@ -465,6 +470,7 @@ under the License.
<MimeType mimeTypeId="video/x-ms-wm" description="WM Video"/>
<MimeType mimeTypeId="video/x-ms-wmv" description="WMV Video"/>
<MimeType mimeTypeId="video/x-ms-wmx" description="WMX Video"/>
+ <MimeType mimeTypeId="video/3gpp" description="3GP Mobile Video"/>
<FileExtension fileExtensionId="asf" mimeTypeId="video/x-ms-asf"/>
<FileExtension fileExtensionId="asx" mimeTypeId="video/x-ms-asf"/>
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 4650dfd..e233228 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -151,15 +151,23 @@ public class SecuredUpload {
}
break;
- // case "Audio": TODO if needed
- // break;
- // case "Video": TODO if needed
- // break;
+ case "Audio":
+ if (isValidAudioFile(fileTocheck)) {
+ return true;
+ }
+ break;
+ case "Video":
+ if (isValidVideoFile(fileTocheck)) {
+ return true;
+ }
+ break;
default: // All
if (isValidTextFile(fileTocheck)
|| isValidImageIncludingSvgFile(fileTocheck)
|| isValidCompressedFile(fileTocheck, delegator)
+ || isValidAudioFile(fileTocheck)
+ || isValidVideoFile(fileTocheck)
|| isValidPdfFile(fileTocheck)) {
return true;
}
@@ -299,14 +307,7 @@ public class SecuredUpload {
* @throws IOException ImageReadException
*/
private static boolean isValidImageIncludingSvgFile(String fileName) throws ImageReadException, IOException {
- Path filePath = Paths.get(fileName);
- byte[] bytesFromFile = Files.readAllBytes(filePath);
- ImageFormat imageFormat = Imaging.guessFormat(bytesFromFile);
- return imageFormat.equals(ImageFormats.PNG)
- || imageFormat.equals(ImageFormats.GIF)
- || imageFormat.equals(ImageFormats.TIFF)
- || imageFormat.equals(ImageFormats.JPEG)
- || isValidSvgFile(fileName);
+ return isValidImageFile(fileName) || isValidSvgFile(fileName);
}
/**
@@ -316,15 +317,19 @@ public class SecuredUpload {
* @throws IOException
*/
private static boolean isValidSvgFile(String fileName) throws IOException {
- Path filePath = Paths.get(fileName);
- String parser = XMLResourceDescriptor.getXMLParserClassName();
- SAXSVGDocumentFactory f = new SAXSVGDocumentFactory(parser);
- try {
- f.createDocument(filePath.toUri().toString());
- } catch (IOException e) {
- return false;
+ String mimeType = getMimeTypeFromFileName(fileName);
+ if ("image/svg+xml".equals(mimeType)) {
+ Path filePath = Paths.get(fileName);
+ String parser = XMLResourceDescriptor.getXMLParserClassName();
+ SAXSVGDocumentFactory f = new SAXSVGDocumentFactory(parser);
+ try {
+ f.createDocument(filePath.toUri().toString());
+ } catch (IOException e) {
+ return false;
+ }
+ return isValidTextFile(fileName); // Validate content to prevent webshell
}
- return isValidTextFile(fileName);
+ return false;
}
/**
@@ -501,6 +506,55 @@ public class SecuredUpload {
}
/**
+ * Is this a valid Audio file?
+ * @param fileName must be an UTF-8 encoded text file
+ * @return true if it's a valid Audio file?
+ * @throws IOException
+ */
+ private static boolean isValidAudioFile(String fileName) throws IOException {
+ String mimeType = getMimeTypeFromFileName(fileName);
+ if ("audio/basic".equals(mimeType)
+ || "audio/wav".equals(mimeType)
+ || "audio/x-ms-wax".equals(mimeType)
+ || "audio/mpeg".equals(mimeType)
+ || "audio/mp4".equals(mimeType)
+ || "audio/ogg".equals(mimeType)
+ || "audio/vorbis".equals(mimeType)
+ || "audio/x-ogg".equals(mimeType)
+ || "audio/flac".equals(mimeType)
+ || "audio/x-flac".equals(mimeType)) {
+ return true;
+ }
+ Debug.logError("The file" + fileName + " is not a valid audio file, for security reason it's not accepted :", MODULE);
+ return false;
+ }
+
+ /**
+ * Is this a valid Audio file?
+ * @param fileName must be an UTF-8 encoded text file
+ * @return true if it's a valid Audio file?
+ * @throws IOException
+ */
+ private static boolean isValidVideoFile(String fileName) throws IOException {
+ String mimeType = getMimeTypeFromFileName(fileName);
+ if ("video/avi".equals(mimeType)
+ || "video/mpeg".equals(mimeType)
+ || "video/mp4".equals(mimeType)
+ || "video/quicktime".equals(mimeType)
+ || "video/3gpp".equals(mimeType)
+ || "video/x-ms-asf".equals(mimeType)
+ || "video/x-flv".equals(mimeType)
+ || "video/x-ms-wvx".equals(mimeType)
+ || "video/x-ms-wm".equals(mimeType)
+ || "video/x-ms-wmv".equals(mimeType)
+ || "video/x-ms-wmx".equals(mimeType)) {
+ return true;
+ }
+ Debug.logError("The file" + fileName + " is not a valid video file, for security reason it's not accepted :", MODULE);
+ return false;
+ }
+
+ /**
* Does this text file contains a Freemarker Server-Side Template Injection (SSTI) using freemarker.template.utility.Execute? Etc.
* @param fileName must be an UTF-8 encoded text file
* @return true if the text file does not contains a Freemarker SSTI
[ofbiz-framework] 03/04: Improved: Adds the HTML accept
Attribute in form widgets and Freemaker templates (OFBIZ-12049)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit fdeedf23ee8fb9d9eec45925f044252be153c7ff
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Dec 7 15:08:55 2020 +0100
Improved: Adds the HTML <input> accept Attribute in form widgets and Freemaker templates (OFBIZ-12049)
As explained at
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/accept
this is only an help for the users (ie not a security feature), but an
appreciable one easy to implement.
Here we start with website/WebSiteCMSContent.ftl
Also add some missing file extensions
---
.../content/template/website/WebSiteCMSContent.ftl | 19 +++++++++++++++----
applications/datamodel/data/seed/ContentSeedData.xml | 5 +++++
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/applications/content/template/website/WebSiteCMSContent.ftl b/applications/content/template/website/WebSiteCMSContent.ftl
index 67b3df9..7a81a5c 100644
--- a/applications/content/template/website/WebSiteCMSContent.ftl
+++ b/applications/content/template/website/WebSiteCMSContent.ftl
@@ -333,7 +333,18 @@
<td class="label">${uiLabelMap.CommonUpload}</td>
<td>
<input type="hidden" name="isUploadObject" value="Y"/>
- <input type="file" name="uploadedFile" size="30"/>
+ <#if dataResourceTypeId == 'IMAGE_OBJECT'>
+ <input type="file" name="uploadedFile" size="30" accept=".png,.gif,.jpg,.jpeg,.tiff,.tif"/>
+ </#if>
+ <#if dataResourceTypeId == 'VIDEO_OBJECT'>
+ <input type="file" name="uploadedFile" size="30" accept=".mpeg,.mpg,.mp4,.m4v,.mov,.qt,.asf,.avi,.asx,.asf,.flv,.wvx,.wm,.wmv,.wmx,.avi"/>
+ </#if>
+ <#if dataResourceTypeId == 'AUDIO_OBJECT'>
+ <input type="file" name="uploadedFile" size="30" accept=".mp3,.ogg,.vorbis,.flac,.wav"/>
+ </#if>
+ <#if dataResourceTypeId == 'OTHER_OBJECT' || dataResourceTypeId == 'LOCAL_FILE' || dataResourceTypeId == 'OFBIZ_FILE' >
+ <input type="file" name="uploadedFile" size="30"/>
+ </#if>
</td>
</tr>
<#elseif (dataResourceTypeId == 'URL_RESOURCE')>
@@ -354,9 +365,9 @@
<tr>
<td colspan="2">
<div id="editorcontainer" class="nocolumns">
- <textarea name="textData" id="cmseditor" style="margin: 0; width: 100%; border: 1px solid black;">
+ <textarea name="textData" id="cmseditor" style="margin: 0; width: 100%; border: 1px solid black;">
<#if (dataText?has_content)>
- ${StringUtil.wrapString(dataText.textData!)}
+ ${StringUtil.wrapString(dataText.textData!)}
</#if>
</textarea>
</div>
@@ -370,4 +381,4 @@
</tr>
</table>
</form>
-</#if>
\ No newline at end of file
+</#if>
diff --git a/applications/datamodel/data/seed/ContentSeedData.xml b/applications/datamodel/data/seed/ContentSeedData.xml
index 54472c1..aae7cb3 100644
--- a/applications/datamodel/data/seed/ContentSeedData.xml
+++ b/applications/datamodel/data/seed/ContentSeedData.xml
@@ -509,8 +509,13 @@ under the License.
<FileExtension fileExtensionId="vcf" mimeTypeId="text/x-vcard"/>
<FileExtension fileExtensionId="wav" mimeTypeId="audio/wav"/>
<FileExtension fileExtensionId="mpeg" mimeTypeId="audio/mpeg"/>
+ <FileExtension fileExtensionId="mp3" mimeTypeId="audio/mpeg"/>
+ <FileExtension fileExtensionId="mp4" mimeTypeId="audio/mpeg"/>
<FileExtension fileExtensionId="ogg" mimeTypeId="audio/ogg"/>
+ <FileExtension fileExtensionId="flac" mimeTypeId="audio/flac"/>
+ <FileExtension fileExtensionId="vorbis" mimeTypeId="audio/ogg"/>
<FileExtension fileExtensionId="dflt" mimeTypeId="application/octet-stream"/>
+ <FileExtension fileExtensionId="3gp" mimeTypeId="video/3gpp"/>
<!-- Registered MIME Types:
[ofbiz-framework] 04/04: Fixed: Secure the uploads (OFBIZ-12080)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 100810faeb603183643734f5efbec52e2398d7bd
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Dec 7 19:48:36 2020 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Adds audio and video as supported formats
---
framework/security/config/security.properties | 2 +-
.../security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index c904be3..43ede04 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -200,7 +200,7 @@ csrf.defense.strategy=
templateClassResolver=
-#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF and ZIP
+#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
#--
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
#-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection:
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index e233228..0751067 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -88,7 +88,7 @@ public class SecuredUpload {
// https://en.wikipedia.org/wiki/File_format
// https://en.wikipedia.org/wiki/List_of_file_signatures
// See also information in security.properties:
- // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF and ZIP
+ // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
private static final String MODULE = SecuredUpload.class.getName();