This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new 16ffa21 Fixed: Secure the uploads (OFBIZ-12080)
16ffa21 is described below
commit 16ffa216d9a22a02a7e846a15a3a836a0212849d
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon Dec 14 16:46:05 2020 +0100
Fixed: Secure the uploads (OFBIZ-12080)
Follows OWASP advice on file names:
All the control characters and Unicode ones should be removed from the filenames
and their extensions without any exception. Also, the special characters such as
“;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be
discarded as well.
If it is applicable and there is no need to have Unicode characters, it is
highly recommended to only accept Alpha-Numeric characters and only 1 dot as an
input for the file name and the extension; in which the file name and also the
extension should not be empty at all
(regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).
So if someone needs other chars in uploaded filenames a change will be needed
---
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a8321dc..273bdf5 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -107,10 +107,24 @@ public class SecuredUpload {
if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
if (fileToCheck.length() > 259) {
+ Debug.logError("Uploaded file name too long", MODULE);
+ return false;
+ } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
+ Debug.logError("Uploaded file "
+ + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; "
+ + "in which the file name and also the extension should not be empty at all ",
+ MODULE);
return false;
}
} else {
if (fileToCheck.length() > 4096) {
+ Debug.logError("Uploaded file name too long", MODULE);
+ return false;
+ } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+ Debug.logError("Uploaded file "
+ + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; "
+ + "in which the file name and also the extension should not be empty at all ",
+ MODULE);
return false;
}
}
Locked
