You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/17 18:03:42 UTC
[ofbiz-framework] 02/02: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 70c799dc63312ae5953a501cd19e4eb838771868
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Thu Feb 17 18:48:34 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Prevents
* too long lines (10 000) by default
* linked images inside SVG
Adds a comment about double extensions not allowed
Conflicts handled by hand
SecuredUpload.java
---
.../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 151c9c8..f592091 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -101,7 +101,7 @@ public class SecuredUpload {
private static final String MODULE = SecuredUpload.class.getName();
private static final List<String> DENIEDFILEEXTENSIONS = deniedFileExtensions();
private static final List<String> DENIEDWEBSHELLTOKENS = deniedWebShellTokens();
- private static final Integer maxLineLength = UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
+ private static final Integer MAXLINELENGTH = UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
public static boolean isValidText(String content, List<String> allowed) throws IOException {
return DENIEDWEBSHELLTOKENS.stream().allMatch(token -> isValid(content, token, allowed));
@@ -121,7 +121,7 @@ public class SecuredUpload {
// Check max line length, default 10000
if (!checkMaxLinesLength(fileToCheck)) {
- Debug.logError("For security reason lines over " + maxLineLength.toString() + " are not allowed", MODULE);
+ Debug.logError("For security reason lines over " + MAXLINELENGTH.toString() + " are not allowed", MODULE);
return false;
}
@@ -689,7 +689,7 @@ public class SecuredUpload {
File file = new File(fileToCheck);
List<String> lines = FileUtils.readLines(file, Charset.defaultCharset());
for (String line : lines) {
- if (line.length() > maxLineLength) {
+ if (line.length() > MAXLINELENGTH) {
return false;
}
}