You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/27 21:09:45 UTC
[ofbiz-framework] branch release18.12 updated (06006f1 -> d89e8e2)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from 06006f1 Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)
new 3eea7d9 Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)
new d89e8e2 Fixed: Secure the uploads (OFBIZ-12080)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../src/main/java/org/apache/ofbiz/content/data/DataEvents.java | 4 ++--
framework/security/config/security.properties | 2 +-
.../main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java | 6 +++---
3 files changed, 6 insertions(+), 6 deletions(-)
[ofbiz-framework] 01/02: Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 3eea7d967d4036a22763a865e9b26aecd8c61ca7
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Feb 27 22:07:18 2022 +0100
Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)
Fixes compiles issues put in with last commit
---
.../src/main/java/org/apache/ofbiz/content/data/DataEvents.java | 4 ++--
.../main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
index 1c233ca..db9d561 100644
--- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
+++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
@@ -89,11 +89,11 @@ public class DataEvents {
// It simply returns a blank screen.
try {
if (!SecuredUpload.isValidText(contentId, Collections.emptyList())) {
- Debug.logError("================== Not saved for security reason ==================", MODULE);
+ Debug.logError("================== Not saved for security reason ==================", module);
return "success";
}
} catch (IOException e) {
- Debug.logError("================== Not saved for security reason ==================", MODULE);
+ Debug.logError("================== Not saved for security reason ==================", module);
return "success";
}
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
index cff8d9e..c1fc9b1 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
@@ -76,7 +76,7 @@ public final class EntityAutoEngine extends GenericAsyncEngine {
if (!isValidText(parameters)) {
return ServiceUtil.returnError("Not saved for security reason!");
}
- DispatchContext dctx = getDispatcher().getLocalContext(localName);
+ DispatchContext dctx = dispatcher.getLocalContext(localName);
Locale locale = (Locale) parameters.get("locale");
Map<String, Object> result = ServiceUtil.returnSuccess();
@@ -591,11 +591,11 @@ public final class EntityAutoEngine extends GenericAsyncEngine {
if (parameter != null) {
try {
if (!SecuredUpload.isValidText(parameter, Collections.emptyList())) {
- Debug.logError("================== Not saved for security reason ==================", MODULE);
+ Debug.logError("================== Not saved for security reason ==================", module);
return false;
}
} catch (IOException e) {
- Debug.logError("================== Not saved for security reason ==================", MODULE);
+ Debug.logError("================== Not saved for security reason ==================", module);
return false;
}
}
[ofbiz-framework] 02/02: Fixed: Secure the uploads (OFBIZ-12080)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit d89e8e2789b2608e646b3511b59e3d6fe434e2a8
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Feb 27 21:57:38 2022 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Removes <svg, replaces by onload,build according to
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
---
framework/security/config/security.properties | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 6a8ae69..9af00cc 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -230,7 +230,7 @@ allowAllUploads=
#-- If you are sure you are safe for a token you can remove it, etc.
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
- chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,<svg ,\
+ chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,\
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,\
",","+",',','+'