You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/13 07:30:38 UTC
[ofbiz-framework] 02/02: Fixed: Found a new XXE (XML External
Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 7a22a2bfc9e3fdb80a49b9ccf7de441f46d43e2c
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Sep 13 08:13:55 2021 +0200
Fixed: Found a new XXE (XML External Entity Injection) vulnerability in EntityImport (OFBIZ-12304)
The XXE vulnerability can read arbitrary files on the server.
Thanks: thiscodecc for reporting this security issue (post-auth)
---
.../java/org/apache/ofbiz/base/util/UtilValidate.java | 18 ++++++++++++++++--
.../org/apache/ofbiz/webtools/WebToolsServices.java | 5 +++++
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
index bf37d93..8117565 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java
@@ -620,8 +620,9 @@ public final class UtilValidate {
return true;
}
- /** isUrl returns true if the string contains ://
- * @param s String to validate
+ /**
+ * isUrl returns true if the string contains ://
+ * @param s String to validate Note: this does not handle "component://" specific to OFBiz
* @return true if s contains ://
*/
public static boolean isUrl(String s) {
@@ -632,6 +633,18 @@ public final class UtilValidate {
}
/**
+ * urlInString returns true if the string contains :// and not "component://"
+ * @param s String to validate
+ * @return true if s contains :// and not "component://"
+ */
+ public static boolean urlInString(String s) {
+ if (isEmpty(s) || s.contains("component://")) {
+ return false;
+ }
+ return s.indexOf("://") != -1;
+ }
+
+ /**
* isValidUrl returns true if the string is a valid URL (using Commons UrlValidator)
* @param s String to validate
* @return true if s contains if the string is a valid URL (using Commons UrlValidator)
@@ -643,6 +656,7 @@ public final class UtilValidate {
return UrlValidator.getInstance().isValid(s);
}
+
/** isYear returns true if string s is a valid
* Year number. Must be 2 or 4 digits only.
* For Year 2000 compliance, you are advised
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index 5339e0f..aa12650 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -145,6 +145,11 @@ public class WebToolsServices {
// #############################
// FM Template
// #############################
+ if (UtilValidate.urlInString(fulltext)) {
+ Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
+ Debug.logInfo("Rather load your data from a file", MODULE);
+ return null;
+ }
if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) {
File fmFile = new File(fmfilename);
if (!fmFile.exists()) {