You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/18 14:34:58 UTC
[ofbiz-framework] branch release22.01 updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new e6443c1 Fixed: Secure the uploads (OFBIZ-12080)
e6443c1 is described below
commit e6443c1369be015d56d90d0b22c54d8c4cffa9e4
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 18 15:32:31 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
In previous comment, to prevent linked images inside SVG I used xlink:href
That's no good, it must be followed by <<="http">>, this does it. Else a lot
of SVP images would not be loadable. Because xlink:href can be used in other
cases.
---
.../security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index f592091..6a86c75 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -654,7 +654,7 @@ public class SecuredUpload {
}
}
String content = new String(bytesFromFile);
- if (content.toLowerCase().contains("xlink:href")) {
+ if (content.toLowerCase().contains("xlink:href=\"http")) {
Debug.logError("Linked images inside SVG are not allowed for security reason", MODULE);
return false;
}