[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release17.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 717bd4b  Fixed: Secure the uploads (OFBIZ-12080)
717bd4b is described below

commit 717bd4ba43807ee20eafbe1d44b048b3d4f7b20c
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Apr 16 09:22:45 2021 +0200

    Fixed: Secure the uploads (OFBIZ-12080)
   
    Reopened after report of a bug (only on *nix systems) by Shrilesh Korgaonkar.
    This fixes the issue
   
    Thanks: Shrilesh Korgaonkar
---
 .../org/apache/ofbiz/security/SecuredUpload.java   | 27 +++++++++++-----------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index deecdbe..3253b8b 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -116,29 +116,30 @@ public class SecuredUpload {
             } else if (p.toString().contains(imageServerUrl.replaceAll("/", "\\\\"))) {
                 if (file.matches("[a-zA-Z0-9-_ ()]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files
                     wrongFile = false;
-                } else if (!file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) {
-                    wrongFile = false;
                 }
+            } else if (file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) {
+                wrongFile = false;
             }
-        } else {
+        } else { // Suppose a *nix system
             if (fileToCheck.length() > 4096) {
                 Debug.logError("Uploaded file name too long", MODULE);
                 return false;
             } else if (p.toString().contains(imageServerUrl)) {
                 if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files
                     wrongFile = false;
-                } else if (!file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
-                    wrongFile = false;
                 }
+            } else if (file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) {
+                wrongFile = false;
             }
-            if (wrongFile) {
-                Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces,"
-                        + " only 1 dot as an input for the file name and the extension."
-                        + "The file name and extension should not be empty at all",
-                        MODULE);
-                return false;
-            }
+        }
+
+        if (wrongFile) {
+            Debug.logError("Uploaded file "
+                    + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces,"
+                    + " only 1 dot as an input for the file name and the extension."
+                    + "The file name and extension should not be empty at all",
+                    MODULE);
+            return false;
         }
 
         if (isExecutable(fileToCheck)) {