You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by nm...@apache.org on 2021/07/28 13:08:32 UTC
[ofbiz-framework] branch release18.12 updated (56df907 -> 5944749)
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a change to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from 56df907 Improved: Adds missing ASL2 headers in Rainbow Stone less files
new 7a55ea8 Fixed: UserLoginHistory failed the store operation with large password (OFBIZ-12287)
new 5944749 Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 37 +++++++++++++++++----
.../apache/ofbiz/common/login/LoginServices.java | 38 +++++++++++++++++++---
framework/security/config/security.properties | 6 +++-
3 files changed, 68 insertions(+), 13 deletions(-)
[ofbiz-framework] 02/02: Fixed: IndexOutOfBoundsException on Entity
Import (OFBIZ-12273)
Posted by nm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 5944749ee03d0dc1399903e2cb48d82fed2063f9
Author: Nicolas Malin <ni...@nereide.fr>
AuthorDate: Wed Jul 28 14:32:36 2021 +0200
Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
Backport e4919d16ca33face162defb0e3a07373a8f9f374 from trunk
Removes the localhost (and 127.0.0.1) OOTB.
Allows to use it through a "multi-property" (list) in security.properties.
---
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 37 ++++++++++++++++++----
framework/security/config/security.properties | 6 +++-
2 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index 56c4e35..cdcbfb7 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -398,20 +398,20 @@ public final class UtilHttp {
}
public static Map<String, Object> canonicalizeParameterMap(Map<String, Object> paramMap) {
- for (Map.Entry<String, Object> paramEntry: paramMap.entrySet()) {
+ for (Map.Entry<String, Object> paramEntry : paramMap.entrySet()) {
if (paramEntry.getValue() instanceof String) {
String paramEntries = (String) paramEntry.getValue();
String[] stringValues = paramEntries.split(" ");
String params = "";
// Handles textareas, see OFBIZ-12249
- if (stringValues.length > 0) {
+ if (stringValues.length > 0 && !paramEntry.getKey().equals("DUMMYPAGE")) {
for (String s : stringValues) {
// if the string contains only an URL beginning by http or ftp => no change to keep special chars
if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 4 || s.indexOf("://") == 3)) {
- params = params + s + " " ;
+ params = params + s + " ";
} else if (UtilValidate.isUrl(s) && !s.isEmpty()) {
// if the string contains not only an URL => concatenate possible canonicalized before and after, w/o changing the URL
- String url = extractUrls(s).get(0); // THere should be only 1 URL in a block, makes no sense else
+ String url = extractUrls(s).get(0); // There should be only 1 URL in a block, makes no sense else
int start = s.indexOf(url);
String after = (String) s.subSequence(start + url.length(), s.length());
params = params + canonicalizeParameter((String) s.subSequence(0, start)) + url + canonicalizeParameter(after) + " ";
@@ -1727,11 +1727,34 @@ public final class UtilHttp {
"([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)*)*" +
"(#([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)?\\b");
- java.util.regex.Matcher matcher = pattern.matcher(input);
- while (matcher.find()) {
- result.add(matcher.group());
+ List<String> allowedProtocols = getAllowedProtocols();
+ for (String protocol : allowedProtocols) {
+ if (input.contains(protocol)) {
+ result.add(input);
+ }
+ }
+
+ if (result.isEmpty()) {
+ java.util.regex.Matcher matcher = pattern.matcher(input);
+ while (matcher.find()) {
+ result.add(matcher.group());
+ }
}
return result;
}
+
+ private static List<String> getAllowedProtocols() {
+ List<String> allowedProtocolList = new LinkedList<>();
+ allowedProtocolList.add("component://");
+ String allowedProtocols = UtilProperties.getPropertyValue("security", "allowedProtocols");
+ if (UtilValidate.isNotEmpty(allowedProtocols)) {
+ List<String> allowedProtocolsList = StringUtil.split(allowedProtocols, ",");
+ for (String protocol : allowedProtocolsList) {
+ allowedProtocolList.add(protocol);
+ }
+ }
+ return allowedProtocolList;
+ }
+
}
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 6ee20ea..6bbdda1 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -198,4 +198,8 @@ allowAllUploads=
#-- uri used for login (cf jira OFBIZ-12047)
#-- it's a list, each uri should be separated by comma, without space
-login.uris=login
\ No newline at end of file
+login.uris=login
+
+#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can uncomment the allowedProtocols property, here given as an example
+#-- You may also put other protocols you want to use, instead or with those
+allowedProtocols=localhost,127.0.0.1
[ofbiz-framework] 01/02: Fixed: UserLoginHistory failed the store
operation with large password (OFBIZ-12287)
Posted by nm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nmalin pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 7a55ea89066238ec82329c9fc2f6de98af616810
Author: Nicolas Malin <ni...@nereide.fr>
AuthorDate: Wed Jul 28 11:59:03 2021 +0200
Fixed: UserLoginHistory failed the store operation with large password (OFBIZ-12287)
Backport 2aa68dc4de8892e8a7cbb38c10a3a3dd65d233e5 from trunk
When you have a user with long password (greater than 256 characters) present in OFBiz and you try to log with, OFBiz return a long error message with sensitive information due to exceeding value size to store on the field UserLoginHistory.passwordUsed.
To solve this we don't return any information on the genericValue that failed and analyze the field passwordUsed to escape the case where the password set to login is create than the database field capacity.
Thanks to Daniel Elkabes <da...@whitesourcesoftware.com> and Hagai Wechsler <ha...@whitesourcesoftware.com> from white source software to raise the problem.
---
.../apache/ofbiz/common/login/LoginServices.java | 38 +++++++++++++++++++---
1 file changed, 33 insertions(+), 5 deletions(-)
diff --git a/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java b/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
index 5d032fb..74ac8ff 100644
--- a/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
+++ b/framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
@@ -51,6 +51,7 @@ import org.apache.ofbiz.entity.condition.EntityCondition;
import org.apache.ofbiz.entity.condition.EntityFunction;
import org.apache.ofbiz.entity.condition.EntityOperator;
import org.apache.ofbiz.entity.model.ModelEntity;
+import org.apache.ofbiz.entity.model.ModelField;
import org.apache.ofbiz.entity.transaction.GenericTransactionException;
import org.apache.ofbiz.entity.transaction.TransactionUtil;
import org.apache.ofbiz.entity.util.EntityListIterator;
@@ -351,8 +352,12 @@ public class LoginServices {
}
// ONLY save the password if it was incorrect
- if ("N".equals(successfulLogin) && !"false".equals(EntityUtilProperties.getPropertyValue("security", "store.login.history.incorrect.password", delegator))) {
- ulhCreateMap.put("passwordUsed", password);
+ // we will check in the hash size isn't too huge for the store other wise store a fix string
+ if ("N".equals(successfulLogin) && !"false".equals(EntityUtilProperties.getPropertyValue("security",
+ "store.login.history.incorrect.password", delegator))) {
+ ulhCreateMap.put("passwordUsed", isGivenPasswordCanBeStored(delegator, password)
+ ? " TOO LONG FOR STORAGE "
+ : password);
}
delegator.create("UserLoginHistory", ulhCreateMap);
@@ -363,7 +368,6 @@ public class LoginServices {
if (doStore) {
geeErrMsg += " and updating login status to reset hasLoggedOut, unsuccessful login count, etc.";
}
- geeErrMsg += ": " + e.toString();
try {
TransactionUtil.rollback(beganTransaction, geeErrMsg, e);
} catch (GenericTransactionException e2) {
@@ -453,6 +457,30 @@ public class LoginServices {
}
/**
+ * To escape an exception when the password store due to limitation size for passwordUsed field, we analyse if it's possible.
+ * @param delegator
+ * @param password
+ * @return
+ * @throws GenericEntityException
+ */
+ private static boolean isGivenPasswordCanBeStored(Delegator delegator, String password)
+ throws GenericEntityException {
+ ModelEntity modelEntityUserLoginHistory = delegator.getModelEntity("UserLoginHistory");
+ ModelField passwordUsedField = modelEntityUserLoginHistory.getField("passwordUsed");
+ int maxPasswordSize = delegator.getEntityFieldType(
+ modelEntityUserLoginHistory,
+ passwordUsedField.getType()).stringLength();
+ int passwordUsedCurrentSize = password.length();
+
+ // if the field is encrypted, we check the size of the hashed result
+ ModelField.EncryptMethod encryptMethod = passwordUsedField.getEncryptMethod();
+ if (encryptMethod.isEncrypted()) {
+ passwordUsedCurrentSize = delegator.encryptFieldValue("UserLoginHistory", encryptMethod, password).toString().length();
+ }
+ return passwordUsedCurrentSize > maxPasswordSize;
+ }
+
+ /**
* Login service to authenticate a username without password, storing history
*
* @return Map of results including (userLogin) GenericValue object
@@ -593,7 +621,7 @@ public class LoginServices {
.orderBy("-fromDate")
.cursorScrollInsensitive();
Timestamp nowTimestamp = UtilDateTime.nowTimestamp();
-
+
try (EntityListIterator eli = eq.queryIterator()) {
GenericValue pwdHist;
if ((pwdHist = eli.next()) != null) {
@@ -645,7 +673,7 @@ public class LoginServices {
String questionEnumId = (String) context.get("securityQuestion");
String securityAnswer = (String) context.get("securityAnswer");
-
+
// security: don't create a user login if the specified partyId (if not empty) already exists
// unless the logged in user has permission to do so (same partyId or PARTYMGR_CREATE)
if (UtilValidate.isNotEmpty(partyId)) {