You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/06/11 12:25:22 UTC
[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new e3f5d31db1 Fixed: Secure the uploads (OFBIZ-12080)
e3f5d31db1 is described below
commit e3f5d31db153075b78314f7b4228df53b69c86ab
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Jun 11 11:09:26 2022 +0200
Fixed: Secure the uploads (OFBIZ-12080)
Several changes in SecuredUpload class:
Mostly checks that uploaded CSV files are valid text files
Also few debug log texts changes for clarity
---
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 29f02731c1..d86e5c594c 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -455,7 +455,7 @@ public class SecuredUpload {
}
} catch (Exception e) {
safeState = false;
- Debug.logError(e, "for security reason the PDF file " + file.getAbsolutePath() + "can't be uploaded !", MODULE);
+ Debug.logError(e, "for security reason the PDF file " + file.getAbsolutePath() + " can't be uploaded !", MODULE);
}
return safeState;
}
@@ -493,14 +493,14 @@ public class SecuredUpload {
try (CSVParser parser = new CSVParser(in, cvsFormat)) {
parser.getRecords();
}
- return true;
+ return isValidTextFile(fileName, false); // Validate content to prevent webshell
}
private static boolean isExecutable(String fileName) throws IOException {
String mimeType = getMimeTypeFromFileName(fileName);
// Check for Windows executable. Neglect .bat and .ps1: https://s.apache.org/c8sim
if ("application/x-msdownload".equals(mimeType) || "application/x-ms-installer".equals(mimeType)) {
- Debug.logError("The file" + fileName + " is a Windows executable, for security reason it's not accepted :", MODULE);
+ Debug.logError("The file" + fileName + " is a Windows executable, for security reason it's not accepted", MODULE);
return true;
}
// Check for ELF (Linux) and scripts
@@ -509,7 +509,7 @@ public class SecuredUpload {
|| "application/text/x-perl".equals(mimeType)
|| "application/text/x-ruby".equals(mimeType)
|| "application/text/x-python".equals(mimeType)) {
- Debug.logError("The file" + fileName + " is a Linux executable, for security reason it's not accepted :", MODULE);
+ Debug.logError("The file" + fileName + " is a Linux executable, for security reason it's not accepted", MODULE);
return true;
}
return false;
@@ -661,7 +661,7 @@ public class SecuredUpload {
|| "audio/x-flac".equals(mimeType)) {
return true;
}
- Debug.logInfo("The file" + fileName + " is not a valid audio file, for security reason it's not accepted :", MODULE);
+ Debug.logInfo("The file" + fileName + " is not a valid audio file. For security reason it's not accepted as a such file", MODULE);
return false;
}
@@ -686,7 +686,7 @@ public class SecuredUpload {
|| "video/x-ms-wmx".equals(mimeType)) {
return true;
}
- Debug.logInfo("The file" + fileName + " is not a valid video file, for security reason it's not accepted :", MODULE);
+ Debug.logInfo("The file" + fileName + " is not a valid video file. For security reason it's not accepted as a such file", MODULE);
return false;
}
@@ -720,7 +720,7 @@ public class SecuredUpload {
private static boolean isValid(String content, String string, List<String> allowed) {
boolean isOK = !content.toLowerCase().contains(string) || allowed.contains(string);
if (!isOK) {
- Debug.logInfo("############### BEWARE, Image contains " + string, MODULE);
+ Debug.logInfo("The uploaded file contains the string '" + string + "'. It can't be uploaded for security reason", MODULE);
}
return isOK;
}