[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 179dd24  Fixed: Secure the uploads (OFBIZ-12080)
179dd24 is described below

commit 179dd2411abdbcda82242266e794abbc20e07720
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Dec 14 16:46:05 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
   
    Follows OWASP advice on file names:
   
    All the control characters and Unicode ones should be removed from the filenames
    and their extensions without any exception. Also, the special characters such as
    “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be
    discarded as well.
   
    If it is applicable and there is no need to have Unicode characters, it is
    highly recommended to only accept Alpha-Numeric characters and only 1 dot as an
    input for the file name and the extension; in which the file name and also the
    extension should not be empty at all
    (regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).
   
    So if someone needs other chars in uploaded filenames a change will be needed
---
 .../main/java/org/apache/ofbiz/security/SecuredUpload.java | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a8321dc..273bdf5 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -107,10 +107,24 @@ public class SecuredUpload {
 
         if (org.apache.commons.lang3.SystemUtils.IS_OS_WINDOWS) {
             if (fileToCheck.length() > 259) {
+                Debug.logError("Uploaded file name too long", MODULE);
+                return false;
+            } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,249}.[a-zA-Z0-9]{1,10}")) {
+                Debug.logError("Uploaded file "
+                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; "
+                        + "in which the file name and also the extension should not be empty at all  ",
+                        MODULE);
                 return false;
             }
         } else {
             if (fileToCheck.length() > 4096) {
+                Debug.logError("Uploaded file name too long", MODULE);
+                return false;
+            } else if (!fileToCheck.matches("[a-zA-Z0-9]{1,4086}.[a-zA-Z0-9]{1,10}")) {
+                Debug.logError("Uploaded file "
+                        + " should contain only Alpha-Numeric characters, only 1 dot as an input for the file name and the extension; "
+                        + "in which the file name and also the extension should not be empty at all  ",
+                        MODULE);
                 return false;
             }
         }