This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new f34a0d9 Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057)
f34a0d9 is described below
commit f34a0d9ff584ff139b9d302ba46a6243138107c1
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Mon Nov 16 14:07:58 2020 +0100
Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057)
Shuibo Ye <
[hidden email]> reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
In the "SQL Command" part, I create a table and insert some strings and
export the table to a file one sentence at a time.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its url
is
https://localhost:8443/webtools/default.jsp.
I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more
could be added if necessary
---
.../webtools/groovyScripts/entity/EntitySQLProcessor.groovy | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy b/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
index c85fed2..b5259b7 100644
--- a/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
+++ b/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
@@ -64,6 +64,15 @@ if (sqlCommand && selGroup) {
rs.close()
}
} else {
+ if (sqlCommand.toUpperCase().contains("SYSCS_UTIL.SYSCS_EXPORT_TABLE")
+ || sqlCommand.toUpperCase().contains("JSP")) {
+ context.resultMessage = "Not executed for security reason"
+ context.groups = groups
+ context.columns = columns
+ context.records = records
+ context.sqlCommand = sqlCommand
+ return
+ }
du.prepareStatement(sqlCommand)
numOfAffectedRows = du.executeUpdate()
resultMessage = "Affected $numOfAffectedRows rows."