This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 03e17a0 Fixed: Secure the uploads (OFBIZ-12080) 03e17a0 is described below commit 03e17a0f824b2a2f810cdc12cb96433204ded849 Author: Jacques Le Roux <[hidden email]> AuthorDate: Wed Dec 2 09:53:23 2020 +0100 Fixed: Secure the uploads (OFBIZ-12080) validateUploadedFile() fixes another case reported in August by Harshit Conflicts handled by hand applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java --- .../ofbiz/content/ContentManagementServices.java | 71 ++++++++++++++++------ 1 file changed, 52 insertions(+), 19 deletions(-) diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java b/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java index f6a5eb6..6c0cc6b 100644 --- a/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java +++ b/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java @@ -18,6 +18,8 @@ *******************************************************************************/ package org.apache.ofbiz.content; +import java.io.File; +import java.io.IOException; import java.math.BigDecimal; import java.nio.ByteBuffer; import java.sql.Timestamp; @@ -29,6 +31,7 @@ import java.util.Locale; import java.util.Map; import java.util.Set; +import org.apache.commons.imaging.ImageReadException; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; import org.apache.ofbiz.base.util.UtilDateTime; @@ -259,7 +262,7 @@ public class ContentManagementServices { } // Do update and create permission checks on Content if warranted. - context.put("skipPermissionCheck", null); // Force check here + context.put("skipPermissionCheck", null); // Force check here boolean contentExists = true; if (Debug.infoOn()) { Debug.logInfo("in persist... contentTypeId:" + contentTypeId + " dataResourceTypeId:" + dataResourceTypeId + " contentId:" + contentId + " dataResourceId:" + dataResourceId, module); @@ -270,7 +273,9 @@ public class ContentManagementServices { } else { try { GenericValue val = EntityQuery.use(delegator).from("Content").where("contentId", contentId).queryOne(); - if (val == null) contentExists = false; + if (val == null) { + dataResourceExists = false; + } } catch (GenericEntityException e) { return ServiceUtil.returnError(e.toString()); } @@ -400,9 +405,8 @@ public class ContentManagementServices { } /** - Service for update publish sites with a ContentRole that will tie them to the passed - in party. - */ + * Service for update publish sites with a ContentRole that will tie them to the passed in party. + */ public static Map<String, Object> updateSiteRoles(DispatchContext dctx, Map<String, ? extends Object> context) { LocalDispatcher dispatcher = dctx.getDispatcher(); Delegator delegator = dctx.getDelegator(); @@ -531,17 +535,24 @@ public class ContentManagementServices { return result; } - public static Map<String, Object> persistDataResourceAndDataMethod(DispatchContext dctx, Map<String, ? extends Object> rcontext) throws GenericServiceException, GenericEntityException, Exception { - Delegator delegator = dctx.getDelegator(); - LocalDispatcher dispatcher = dctx.getDispatcher(); - Map<String, Object> context = UtilMisc.makeMapWritable(rcontext); - Map<String, Object> result = new HashMap<String, Object>(); - Map<String, Object> newDrContext = new HashMap<String, Object>(); - GenericValue dataResource = delegator.makeValue("DataResource"); - dataResource.setPKFields(context); - dataResource.setNonPKFields(context); - dataResource.setAllFields(context, false, "dr", null); - context.putAll(dataResource); + public static Map<String, Object> persistDataResourceAndDataMethod(DispatchContext dctx, Map<String, ? extends Object> rcontext) + throws GenericServiceException, GenericEntityException { + Delegator delegator = dctx.getDelegator(); + LocalDispatcher dispatcher = dctx.getDispatcher(); + Map<String, Object> context = UtilMisc.makeMapWritable(rcontext); + + String errorMessage = validateUploadedFile(dctx, context); + if (errorMessage != null) { + return ServiceUtil.returnError(errorMessage); + } + + Map<String, Object> result = new HashMap<>(); + Map<String, Object> newDrContext = new HashMap<>(); + GenericValue dataResource = delegator.makeValue("DataResource"); + dataResource.setPKFields(context); + dataResource.setNonPKFields(context); + dataResource.setAllFields(context, false, "dr", null); + context.putAll(dataResource); GenericValue electronicText = delegator.makeValue("ElectronicText"); electronicText.setPKFields(context); @@ -747,7 +758,7 @@ public class ContentManagementServices { } else { if (fromDate != null) { // for now, will assume that any error is due to non-existence - ignore - //return ServiceUtil.returnError(e.toString()); + // return ServiceUtil.returnError(e.toString()); try { Debug.logInfo("updateSiteRoles, serviceContext(2):" + serviceContext, module); Map<String, Object> newContext = new HashMap<String, Object>(); @@ -979,7 +990,6 @@ public class ContentManagementServices { return result; } - /** * This service changes the contentTypeId of the current content and its children depending on the pageMode. * if pageMode == "outline" then if the contentTypeId of children is not "OUTLINE_NODE" or "PAGE_NODE" @@ -1518,7 +1528,9 @@ public class ContentManagementServices { } return result; } - public static Map<String, Object> followNodeChildrenMethod(GenericValue content, LocalDispatcher dispatcher, String serviceName, Map<String, Object> context) throws GenericEntityException, GenericServiceException { + + public static Map<String, Object> followNodeChildrenMethod(GenericValue content, LocalDispatcher dispatcher, String serviceName, + Map<String, Object> context) throws GenericEntityException, GenericServiceException { Map<String, Object> result = null; String contentId = content.getString("contentId"); List<String> contentAssocTypeIdList = UtilGenerics.checkList(context.get("contentAssocTypeIdList")); @@ -1616,4 +1628,25 @@ public class ContentManagementServices { return result; } + + private static String validateUploadedFile(DispatchContext dctx, Map<String, ? extends Object> context) { + Delegator delegator = dctx.getDelegator(); + Locale locale = (Locale) context.get("locale"); + String objectInfo = (String) context.get("objectInfo"); + String errorMessage = null; + if (!UtilValidate.isEmpty(objectInfo)) { + File file = new File(objectInfo); + if (file.isFile()) { + try { + if (!org.apache.ofbiz.security.SecuredUpload.isValidFile(objectInfo, "All", delegator)) { + errorMessage = UtilProperties.getMessage("SecurityUiLabels", "SupportedFileFormatsIncludingSvg", locale); + } + } catch (ImageReadException | IOException e) { + errorMessage = UtilProperties.getMessage(RESOURCE, "ContentUnableToOpenFileForWriting", UtilMisc.toMap("fileName", + objectInfo), locale); + } + } + } + return errorMessage; + } } |
Free forum by Nabble | Edit this page |