You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/17 18:03:42 UTC

[ofbiz-framework] 02/02: Fixed: Secure the uploads (OFBIZ-12080)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 70c799dc63312ae5953a501cd19e4eb838771868
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Thu Feb 17 18:48:34 2022 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Prevents
    * too long lines (10 000) by default
    * linked images inside SVG
    
    Adds a comment about double extensions not allowed
    
    Conflicts handled by hand
     SecuredUpload.java
---
 .../src/main/java/org/apache/ofbiz/security/SecuredUpload.java      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 151c9c8..f592091 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -101,7 +101,7 @@ public class SecuredUpload {
     private static final String MODULE = SecuredUpload.class.getName();
     private static final List<String> DENIEDFILEEXTENSIONS = deniedFileExtensions();
     private static final List<String> DENIEDWEBSHELLTOKENS = deniedWebShellTokens();
-    private static final Integer maxLineLength = UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
+    private static final Integer MAXLINELENGTH = UtilProperties.getPropertyAsInteger("security", "maxLineLength", 10000);
 
     public static boolean isValidText(String content, List<String> allowed) throws IOException {
         return DENIEDWEBSHELLTOKENS.stream().allMatch(token -> isValid(content, token, allowed));
@@ -121,7 +121,7 @@ public class SecuredUpload {
 
         // Check max line length, default 10000
         if (!checkMaxLinesLength(fileToCheck)) {
-            Debug.logError("For security reason lines over " + maxLineLength.toString() + " are not allowed", MODULE);
+            Debug.logError("For security reason lines over " + MAXLINELENGTH.toString() + " are not allowed", MODULE);
             return false;
         }
 
@@ -689,7 +689,7 @@ public class SecuredUpload {
             File file = new File(fileToCheck);
             List<String> lines = FileUtils.readLines(file, Charset.defaultCharset());
             for (String line : lines) {
-                if (line.length() > maxLineLength) {
+                if (line.length() > MAXLINELENGTH) {
                     return false;
                 }
             }