[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Secure the uploads (OFBIZ-12080)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new e3c2741  Fixed: Secure the uploads (OFBIZ-12080)
e3c2741 is described below

commit e3c274128b9e447dc34f7114c91ad2098a683422
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Dec 14 19:00:37 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
   
    According to https://s.apache.org/rpzog, adds few, maybe redundant, Java
    API/methods found in webshell, or alike, source code
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 273bdf5..d9c0952 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -111,8 +111,8 @@ public class SecuredUpload {
                 return false;
             } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
                 Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; "
-                        + "in which the file name and also the extension should not be empty at all  ",
+                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension."
+                        + "The file name and the extension should not be empty at all",
                         MODULE);
                 return false;
             }
@@ -122,8 +122,8 @@ public class SecuredUpload {
                 return false;
             } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
                 Debug.logError("Uploaded file "
-                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; "
-                        + "in which the file name and also the extension should not be empty at all  ",
+                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension."
+                        + "Tthe file name and the extension should not be empty at all",
                         MODULE);
                 return false;
             }
@@ -619,6 +619,12 @@ public class SecuredUpload {
                 || content.toLowerCase().contains("mkdir")
                 || content.toLowerCase().contains("fopen")
                 || content.toLowerCase().contains("fclose")
+                || content.toLowerCase().contains("new file")
+                || content.toLowerCase().contains("import")
+                || content.toLowerCase().contains("upload")
+                || content.toLowerCase().contains("getFileName")
+                || content.toLowerCase().contains("Download")
+                || content.toLowerCase().contains("getOutputString")
                 || content.toLowerCase().contains("readfile"));
         // TODO.... to be continued with known webshell contents... a complete allow list is impossible anyway...
         // eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/