You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/13 07:30:28 UTC
[ofbiz-framework] branch release17.12 updated (1b907b0 -> 123f30e)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from 1b907b0 Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)
new 7e00617 Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)
new a28316b Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
new 123f30e Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../java/org/apache/ofbiz/base/util/UtilURL.java | 2 +-
.../org/apache/ofbiz/base/util/UtilValidate.java | 30 ++++++++++++++++++++--
.../groovyScripts/artifactinfo/ArtifactInfo.groovy | 10 +++++---
.../apache/ofbiz/webtools/WebToolsServices.java | 5 ++++
4 files changed, 41 insertions(+), 6 deletions(-)
[ofbiz-framework] 02/03: Fixed: Found a new XXE (XML External
Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit a28316b70d8a2642ef57c7a1b5223c694816442c
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:13:55 2021 +0200
Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
The XXE vulnerability can read arbitrary files on the server.
Thanks: thiscodecc for reporting this security issue (post-auth)
---
.../java/org/apache/ofbiz/base/util/UtilValidate.java | 18 ++++++++++++++++--
.../org/apache/ofbiz/webtools/WebToolsServices.java | 5 +++++
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
index 14f55e7..d2d44fb 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
@@ -806,8 +806,9 @@ public final class UtilValidate {
return true;
}
- /** isUrl returns true if the string contains ://
- * @param s String to validate
+ /**
+ * isUrl returns true if the string contains ://
+ * @param s String to validate Note: this does not handle "component://" specific to OFBiz
* @return true if s contains ://
*/
public static boolean isUrl(String s) {
@@ -821,6 +822,18 @@ public final class UtilValidate {
}
/**
+ * URLInString returns true if the string contains :// and not "component://"
+ * @param s String to validate
+ * @return true if s contains :// and not "component://"
+ */
+ public static boolean URLInString(String s) {
+ if (isEmpty(s) || s.contains("component://")) {
+ return false;
+ }
+ return s.indexOf("://") != -1;
+ }
+
+ /**
* isValidUrl returns true if the string is a valid URL (using Commons UrlValidator)
* @param s String to validate
* @return true if s contains if the string is a valid URL (using Commons UrlValidator)
@@ -832,6 +845,7 @@ public final class UtilValidate {
return UrlValidator.getInstance().isValid(s);
}
+
/** isYear returns true if string s is a valid
* Year number. Must be 2 or 4 digits only.
*
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index 68a2865..be32378 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -143,6 +143,11 @@ public class WebToolsServices {
// #############################
// FM Template
// #############################
+ if (UtilValidate.URLInString(fulltext)) {
+ Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
+ Debug.logInfo("Rather load your data from a file", MODULE);
+ return null;
+ }
if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) {
File fmFile = new File(fmfilename);
if (!fmFile.exists()) {
[ofbiz-framework] 01/03: Fixed: Found a new XXE (XML External
Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 7e006178282eba3de1a1ed6636a9516fe7a626af
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:10:14 2021 +0200
Fixed: Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo (OFBIZ-12306)
The XXE vulnerability can read arbitrary files on the server.
Thanks: thiscodecc for reporting this security issue (post-auth)
---
.../base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java | 2 +-
.../webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
index f938dc3..4403822 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilURL.java
@@ -146,8 +146,8 @@ public final class UtilURL {
try {
url = new URL(urlString);
} catch (MalformedURLException e) {
+ // We purposely don't want to do anything here
}
-
return url;
}
diff --git a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
index 7edebdf..afa2cb5 100644
--- a/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
+++ b/framework/webtools/groovyScripts/artifactinfo/ArtifactInfo.groovy
@@ -17,12 +17,16 @@
* under the License.
*/
-import org.apache.ofbiz.entity.Delegator
-import org.apache.ofbiz.webtools.artifactinfo.*
-import org.apache.ofbiz.base.util.*
+import org.apache.ofbiz.base.util.Debug
+import org.apache.ofbiz.base.util.UtilURL
+import org.apache.ofbiz.webtools.artifactinfo.ArtifactInfoFactory
name = parameters.name
location = parameters.location
+if (UtilURL.fromUrlString(location)) {
+ Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12306", "ArtifactInfo.groovy")
+ return
+}
type = parameters.type
uniqueId = parameters.uniqueId
delegatorName = delegator.getDelegatorName()
[ofbiz-framework] 03/03: Fixed: Found a new XXE (XML External
Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 123f30eb6bbd74e129abbcac329a2667a2d1a7ac
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:13:55 2021 +0200
Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
The XXE vulnerability can read arbitrary files on the server.
Thanks: thiscodecc for reporting this security issue (post-auth)
---
.../main/java/org/apache/ofbiz/base/util/UtilValidate.java | 12 ++++++++++++
.../java/org/apache/ofbiz/webtools/WebToolsServices.java | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
index d2d44fb..07b47df 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
@@ -834,6 +834,18 @@ public final class UtilValidate {
}
/**
+ * urlInString returns true if the string contains :// and not "component://"
+ * @param s String to validate
+ * @return true if s contains :// and not "component://"
+ */
+ public static boolean urlInString(String s) {
+ if (isEmpty(s) || s.contains("component://")) {
+ return false;
+ }
+ return s.indexOf("://") != -1;
+ }
+
+ /**
* isValidUrl returns true if the string is a valid URL (using Commons UrlValidator)
* @param s String to validate
* @return true if s contains if the string is a valid URL (using Commons UrlValidator)
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index be32378..206aae9 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -143,7 +143,7 @@ public class WebToolsServices {
// #############################
// FM Template
// #############################
- if (UtilValidate.URLInString(fulltext)) {
+ if (UtilValidate.urlInString(fulltext)) {
Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
Debug.logInfo("Rather load your data from a file", MODULE);
return null;