This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release17.12 by this push:
new 6bf7856 Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)
6bf7856 is described below
commit 6bf785654a1fa4ad6611736195d9a113844a850b
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Nov 13 09:34:49 2020 +0100
Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)
This was reported to the security team by Shuibo Ye <
[hidden email]>.
We did not create a CVE because it's a post-auth "vulnerability"
Thanks: Shuibo Ye
---
framework/webtools/groovyScripts/entity/ProgramExport.groovy | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/framework/webtools/groovyScripts/entity/ProgramExport.groovy b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
index d1e59eb..41d29e6 100644
--- a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
+++ b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
@@ -46,7 +46,7 @@ EntityFindOptions findOptions = new EntityFindOptions()
findOptions.setMaxRows(3)
List products = delegator.findList("Product", null, null, null, findOptions, false)
-if (products != null) {
+if (products != null) {
recordValues.addAll(products)
}
@@ -73,6 +73,13 @@ def shell = new GroovyShell(loader, binding, configuration)
if (UtilValidate.isNotEmpty(groovyProgram)) {
try {
+ // TODO more can be added...
+ if (groovyProgram.contains("new File")
+ || groovyProgram.contains(".jsp")
+ || groovyProgram.contains("<%=")) {
+ request.setAttribute("_ERROR_MESSAGE_", "Not executed for security reason")
+ return
+ }
shell.parse(groovyProgram)
shell.evaluate(groovyProgram)
recordValues = shell.getVariable("recordValues")
@@ -93,5 +100,5 @@ if (UtilValidate.isNotEmpty(groovyProgram)) {
} catch(Exception e) {
request.setAttribute("_ERROR_MESSAGE_", e)
return
- }
+ }
}