You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/05 09:41:25 UTC
[ofbiz-framework] 03/03: Fixed: Prevent Host Header Injection
(CVE-2019-12425)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 793628bb15521257a8ccdfec181daa4cdb501eea
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Apr 4 19:32:02 2020 +0200
Fixed: Prevent Host Header Injection (CVE-2019-12425)
(OFBIZ-11583)
Conflicts handled by hand
framework/security/config/security.properties
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
---
.../src/main/java/org/apache/ofbiz/base/util/UtilMisc.java | 13 +++++++++++++
framework/security/config/security.properties | 6 +++++-
.../org/apache/ofbiz/webapp/control/RequestHandler.java | 10 ++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
index 2be803e..0f0a4f3 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
@@ -598,6 +598,19 @@ public final class UtilMisc {
return LocaleHolder.availableLocaleList;
}
+ /** List of domains or IP addresses to be checked to prevent Host Header Injection,
+ * no spaces after commas,no wildcard, can be extended of course...
+ * @return List of domains or IP addresses to be checked to prevent Host Header Injection,
+ */
+ public static List<String> getHostHeadersAllowed() {
+ String hostHeadersAllowedString = UtilProperties.getPropertyValue("security", "host-headers-allowed", "localhost");
+ List<String> hostHeadersAllowed = null;
+ if (UtilValidate.isNotEmpty(hostHeadersAllowedString)) {
+ hostHeadersAllowed = StringUtil.split(hostHeadersAllowedString, ",");
+ }
+ return Collections.unmodifiableList(hostHeadersAllowed);
+ }
+
/** @deprecated use Thread.sleep() */
@Deprecated
public static void staticWait(long timeout) throws InterruptedException {
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5b809ff..2a044d6 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -135,6 +135,10 @@ security.login.externalLoginKey.enabled=true
# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
login.secret_key_string=Secret Key
-# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it ot lax if needed
+# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
+# -- no spaces after commas,no wildcard, can be extended of course...
+host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
SameSiteCookieAttribute=
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 6802da1..ea0655d 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -76,6 +76,8 @@ public class RequestHandler {
private final URL controllerConfigURL;
private final boolean trackServerHit;
private final boolean trackVisit;
+ private final List hostHeadersAllowed;
+ private ControllerConfig ccfg;
public static RequestHandler getRequestHandler(ServletContext servletContext) {
RequestHandler rh = (RequestHandler) servletContext.getAttribute("_REQUEST_HANDLER_");
@@ -100,6 +102,9 @@ public class RequestHandler {
this.trackServerHit = !"false".equalsIgnoreCase(context.getInitParameter("track-serverhit"));
this.trackVisit = !"false".equalsIgnoreCase(context.getInitParameter("track-visit"));
+
+ hostHeadersAllowed = UtilMisc.getHostHeadersAllowed();
+
}
public ConfigXMLReader.ControllerConfig getControllerConfig() {
@@ -122,6 +127,11 @@ public class RequestHandler {
public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
+ if (!hostHeadersAllowed.contains(request.getServerName())) {
+ Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module);
+ throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+ }
+
final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
"requestHandler", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
long startTime = System.currentTimeMillis();