You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/05 09:41:25 UTC

[ofbiz-framework] 03/03: Fixed: Prevent Host Header Injection (CVE-2019-12425)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 793628bb15521257a8ccdfec181daa4cdb501eea
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Apr 4 19:32:02 2020 +0200

    Fixed: Prevent Host Header Injection (CVE-2019-12425)
    
    (OFBIZ-11583)
    
    Conflicts handled by hand
      framework/security/config/security.properties
      framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
---
 .../src/main/java/org/apache/ofbiz/base/util/UtilMisc.java  | 13 +++++++++++++
 framework/security/config/security.properties               |  6 +++++-
 .../org/apache/ofbiz/webapp/control/RequestHandler.java     | 10 ++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
index 2be803e..0f0a4f3 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
@@ -598,6 +598,19 @@ public final class UtilMisc {
         return LocaleHolder.availableLocaleList;
     }
 
+    /** List of domains or IP addresses to be checked to prevent Host Header Injection, 
+     * no spaces after commas,no wildcard, can be extended of course... 
+     * @return List of domains or IP addresses to be checked to prevent Host Header Injection,
+     */
+    public static List<String> getHostHeadersAllowed() {
+        String hostHeadersAllowedString = UtilProperties.getPropertyValue("security", "host-headers-allowed", "localhost");
+        List<String> hostHeadersAllowed = null;
+        if (UtilValidate.isNotEmpty(hostHeadersAllowedString)) {
+            hostHeadersAllowed = StringUtil.split(hostHeadersAllowedString, ",");
+        }
+        return Collections.unmodifiableList(hostHeadersAllowed);
+    }
+
     /** @deprecated use Thread.sleep() */
     @Deprecated
     public static void staticWait(long timeout) throws InterruptedException {
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5b809ff..2a044d6 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -135,6 +135,10 @@ security.login.externalLoginKey.enabled=true
 # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
 login.secret_key_string=Secret Key
 
-# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed  
+# -- List of domains or IP addresses to be checked to prevent Host Header Injection, 
+# -- no spaces after commas,no wildcard, can be extended of course...
+host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed  
 SameSiteCookieAttribute=
 
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 6802da1..ea0655d 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -76,6 +76,8 @@ public class RequestHandler {
     private final URL controllerConfigURL;
     private final boolean trackServerHit;
     private final boolean trackVisit;
+    private final List hostHeadersAllowed;
+    private ControllerConfig ccfg;
 
     public static RequestHandler getRequestHandler(ServletContext servletContext) {
         RequestHandler rh = (RequestHandler) servletContext.getAttribute("_REQUEST_HANDLER_");
@@ -100,6 +102,9 @@ public class RequestHandler {
 
         this.trackServerHit = !"false".equalsIgnoreCase(context.getInitParameter("track-serverhit"));
         this.trackVisit = !"false".equalsIgnoreCase(context.getInitParameter("track-visit"));
+        
+        hostHeadersAllowed = UtilMisc.getHostHeadersAllowed();
+
     }
 
     public ConfigXMLReader.ControllerConfig getControllerConfig() {
@@ -122,6 +127,11 @@ public class RequestHandler {
     public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
             GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
+        if (!hostHeadersAllowed.contains(request.getServerName())) {
+            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module);
+            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+        }
+                
         final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
                 "requestHandler", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
         long startTime = System.currentTimeMillis();