You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2019/08/11 13:23:19 UTC

svn commit: r1864930 - in /ofbiz/ofbiz-framework/trunk: applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java

Author: jleroux
Date: Sun Aug 11 13:23:19 2019
New Revision: 1864930

URL: http://svn.apache.org/viewvc?rev=1864930&view=rev
Log:
Fixed: [FB] Find Security Bugs
(OFBIZ-9973)

As suggested by Mathieu on dev ML factorises the use of Path::normalize

Modified:
    ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
    ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java

Modified: ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1864930&r1=1864929&r2=1864930&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Sun Aug 11 13:23:19 2019
@@ -42,6 +42,7 @@ import javax.servlet.http.HttpSession;
 import javax.swing.ImageIcon;
 
 import org.apache.ofbiz.base.util.Debug;
+import org.apache.ofbiz.base.util.FileUtil;
 import org.apache.ofbiz.base.util.UtilDateTime;
 import org.apache.ofbiz.base.util.UtilGenerics;
 import org.apache.ofbiz.base.util.UtilProperties;
@@ -290,7 +291,7 @@ public class FrameImage {
         String dataResourceId = null;
         try {
             String dirPath = "/frame/";
-            File dir = new File(imageServerPath + dirPath).toPath().normalize().toFile(); // cf. OFBIZ-9973
+            File dir = FileUtil.normalizeFilePath(imageServerPath + dirPath);
             if (!dir.exists()) {
                 boolean createDir = dir.mkdir();
                 if (!createDir) {
@@ -299,7 +300,7 @@ public class FrameImage {
                 }
             }
             String imagePath = "/frame/" + imageName;
-            File file = new File(imageServerPath + imagePath).toPath().normalize().toFile(); // cf. OFBIZ-9973
+            File file = FileUtil.normalizeFilePath(imageServerPath + imagePath); // cf. OFBIZ-9973
             if (file.exists()) {
                 request.setAttribute("_ERROR_MESSAGE_", "There is an existing frame, please select from the existing frame.");
                 return "error";
@@ -398,7 +399,7 @@ public class FrameImage {
                 Debug.logError("File :" + file.getName() + ", couldn't be loaded", module);
             }
             // Image Frame
-            BufferedImage bufImg1 = ImageIO.read(new File(imageServerPath + "/" + productId + "/" + imageName).toPath().normalize().toFile()); // cf. OFBIZ-9973
+            BufferedImage bufImg1 = ImageIO.read(FileUtil.normalizeFilePath(imageServerPath + "/" + productId + "/" + imageName)); // cf. OFBIZ-9973
             BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + "/frame/" + frameImageName));
 
             int bufImgType;

Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java?rev=1864930&r1=1864929&r2=1864930&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java Sun Aug 11 13:23:19 2019
@@ -40,12 +40,12 @@ import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
-
 import java.util.UUID;
 import java.util.zip.Deflater;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import java.util.zip.ZipOutputStream;
+
 import org.apache.commons.io.FileUtils;
 import org.apache.ofbiz.base.location.ComponentLocationResolver;
 
@@ -488,4 +488,17 @@ public final class FileUtil {
         zis.closeEntry();
         zis.close();
     }
+    
+    /**
+     * Creates a File with a normalized file path
+     * This useful to prevent path traversal security issues 
+     * cf. OFBIZ-9973 for more details 
+     *
+     * @param filePath The file path to normalize
+     * @return A File with a normalized file path
+     */
+    public static File normalizeFilePath(String filePath) {
+        return new File(filePath).toPath().normalize().toFile(); 
+    }
+    
 }