OFBiz › OFBiz - Commits

[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release18.12 by this push:
new b57c563 Fixed: Secure the uploads (OFBIZ-12080)
b57c563 is described below

commit b57c563e89f1839ed79a64c08daa8f4fdd814680
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Dec 7 19:43:57 2020 +0100

Fixed: Secure the uploads (OFBIZ-12080)

module should be MODULE in SecuredUpload class

Improves: add adio adn video to supported file formats in security.properties
---
framework/security/config/security.properties | 16 ++++++++--------
.../java/org/apache/ofbiz/security/SecuredUpload.java | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 237b700..a5159f7 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -30,24 +30,24 @@ security.login.password.pattern=^.*(?=.{5,}).*$
security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
# -- For More restrictive pattern you can use the following, no localisation-
#security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
-#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
+#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
# Only contains alphanumeric and the following special characters: !@#$%^&*
# Contains at least 1 of the special characters in the list above
# The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
# minimum length 5 digit.
# HELP
# Start of group
-# (
+# (
# (?=.*\d) # must contains one digit from 0-9
# (?=.*[a-z]) # must contains one lowercase characters
# (?=.*[A-Z]) # must contains one uppercase characters
# (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*"
# . # match anything with previous condition checking
# {5,20} # length at least 5 characters and maximum of 20
-# {5,} # minimum length 5 chars and no linitation to max length.
+# {5,} # minimum length 5 chars and no linitation to max length.
# )
# End of group
-# For further password patterns look at
+# For further password patterns look at
# http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum

# -- disable the account after this many logins --
@@ -149,14 +149,14 @@ security.jwt.token.expireTime=1800
# -- To make this work you also have to configure a secret key with security.token.key
security.internal.sso.enabled=false

-# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
+# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
security.token.key=security.token.key

-# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
+# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
# -- no spaces after commas,no wildcard, can be extended of course...
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org

-# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
+# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
SameSiteCookieAttribute=

# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
@@ -168,7 +168,7 @@ SameSiteCookieAttribute=
templateClassResolver=

-#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF and ZIP
+#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
#--
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
#-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection:
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 6247453..0751067 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -88,9 +88,9 @@ public class SecuredUpload {
// https://en.wikipedia.org/wiki/File_format
// https://en.wikipedia.org/wiki/List_of_file_signatures
// See also information in security.properties:
- // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF and ZIP
+ // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP

- private static final String module = SecuredUpload.class.getName();
+ private static final String MODULE = SecuredUpload.class.getName();

/**
* @param fileTocheck
@@ -173,10 +173,10 @@ public class SecuredUpload {
}
break;
}
- Debug.logError("File :" + fileTocheck + ", can't be uploaded for security reason", module);
+ Debug.logError("File :" + fileTocheck + ", can't be uploaded for security reason", MODULE);
File badFile = new File(fileTocheck);
if (!badFile.delete()) {
- Debug.logError("File :" + fileTocheck + ", couldn't be deleted", module);
+ Debug.logError("File :" + fileTocheck + ", couldn't be deleted", MODULE);
}
return false;
}
@@ -295,7 +295,7 @@ public class SecuredUpload {
}
} catch (IOException | ImageReadException | ImageWriteException e) {
safeState = false;
- Debug.logWarning(e, "Error during Image file " + fileName + " processing !", module);
+ Debug.logWarning(e, "Error during Image file " + fileName + " processing !", MODULE);
}
return safeState;
}
@@ -359,7 +359,7 @@ public class SecuredUpload {
}
} catch (Exception e) {
safeState = false;
- Debug.logError(e, "for security reason the PDF file " + file.getAbsolutePath() + "can't be uploaded !", module);
+ Debug.logError(e, "for security reason the PDF file " + file.getAbsolutePath() + "can't be uploaded !", MODULE);
}
return safeState;
}
@@ -368,7 +368,7 @@ public class SecuredUpload {
String mimeType = getMimeTypeFromFileName(fileName);
// Check for Windows executable. Neglect .bat and .ps1: https://s.apache.org/c8sim
if ("application/x-msdownload".equals(mimeType) || "application/x-ms-installer".equals(mimeType)) {
- Debug.logError("The file" + fileName + " is a Windows executable, for security reason it's not accepted :", module);
+ Debug.logError("The file" + fileName + " is a Windows executable, for security reason it's not accepted :", MODULE);
return true;
}
// Check for ELF (Linux) and scripts
@@ -376,7 +376,7 @@ public class SecuredUpload {
|| "application/x-sh".equals(mimeType)
|| "application/text/x-perl".equals(mimeType)
|| "application/text/x-python".equals(mimeType)) {
- Debug.logError("The file" + fileName + " is a Linux executable, for security reason it's not accepted :", module);
+ Debug.logError("The file" + fileName + " is a Linux executable, for security reason it's not accepted :", MODULE);
return true;
}
return false;