You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/13 07:30:30 UTC
[ofbiz-framework] 02/03: Fixed: Found a new XXE (XML External
Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit a28316b70d8a2642ef57c7a1b5223c694816442c
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:13:55 2021 +0200
Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
The XXE vulnerability can read arbitrary files on the server.
Thanks: thiscodecc for reporting this security issue (post-auth)
---
.../java/org/apache/ofbiz/base/util/UtilValidate.java | 18 ++++++++++++++++--
.../org/apache/ofbiz/webtools/WebToolsServices.java | 5 +++++
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
index 14f55e7..d2d44fb 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
@@ -806,8 +806,9 @@ public final class UtilValidate {
return true;
}
- /** isUrl returns true if the string contains ://
- * @param s String to validate
+ /**
+ * isUrl returns true if the string contains ://
+ * @param s String to validate Note: this does not handle "component://" specific to OFBiz
* @return true if s contains ://
*/
public static boolean isUrl(String s) {
@@ -821,6 +822,18 @@ public final class UtilValidate {
}
/**
+ * URLInString returns true if the string contains :// and not "component://"
+ * @param s String to validate
+ * @return true if s contains :// and not "component://"
+ */
+ public static boolean URLInString(String s) {
+ if (isEmpty(s) || s.contains("component://")) {
+ return false;
+ }
+ return s.indexOf("://") != -1;
+ }
+
+ /**
* isValidUrl returns true if the string is a valid URL (using Commons UrlValidator)
* @param s String to validate
* @return true if s contains if the string is a valid URL (using Commons UrlValidator)
@@ -832,6 +845,7 @@ public final class UtilValidate {
return UrlValidator.getInstance().isValid(s);
}
+
/** isYear returns true if string s is a valid
* Year number. Must be 2 or 4 digits only.
*
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index 68a2865..be32378 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -143,6 +143,11 @@ public class WebToolsServices {
// #############################
// FM Template
// #############################
+ if (UtilValidate.URLInString(fulltext)) {
+ Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
+ Debug.logInfo("Rather load your data from a file", MODULE);
+ return null;
+ }
if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) {
File fmFile = new File(fmfilename);
if (!fmFile.exists()) {