This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 1e3148c Fixed: Secure the uploads (OFBIZ-12080) 1e3148c is described below commit 1e3148c3a86e382406b2893cac24ddd11442124f Author: Jacques Le Roux <[hidden email]> AuthorDate: Fri Apr 16 09:22:45 2021 +0200 Fixed: Secure the uploads (OFBIZ-12080) Reopened after report of a bug (only on *nix systems) by Shrilesh Korgaonkar. This fixes the issue Thanks: Shrilesh Korgaonkar --- .../org/apache/ofbiz/security/SecuredUpload.java | 27 +++++++++++----------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java index 95c562d..904b64c 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java @@ -116,29 +116,30 @@ public class SecuredUpload { } else if (p.toString().contains(imageServerUrl.replaceAll("/", "\\\\"))) { if (file.matches("[a-zA-Z0-9-_ ()]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files wrongFile = false; - } else if (!file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) { - wrongFile = false; } + } else if (file.matches("[a-zA-Z0-9-_ ]{1,249}.[a-zA-Z0-9-_ ]{1,10}")) { + wrongFile = false; } - } else { + } else { // Suppose a *nix system if (fileToCheck.length() > 4096) { Debug.logError("Uploaded file name too long", MODULE); return false; } else if (p.toString().contains(imageServerUrl)) { if (file.matches("[a-zA-Z0-9-_ ()]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { // "(" and ")" for duplicates files wrongFile = false; - } else if (!file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { - wrongFile = false; } + } else if (file.matches("[a-zA-Z0-9-_ ]{1,4086}.[a-zA-Z0-9-_ ]{1,10}")) { + wrongFile = false; } - if (wrongFile) { - Debug.logError("Uploaded file " - + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces," - + " only 1 dot as an input for the file name and the extension." - + "The file name and extension should not be empty at all", - MODULE); - return false; - } + } + + if (wrongFile) { + Debug.logError("Uploaded file " + + " should contain only Alpha-Numeric characters, hyphen, underscore and spaces," + + " only 1 dot as an input for the file name and the extension." + + "The file name and extension should not be empty at all", + MODULE); + return false; } if (isExecutable(fileToCheck)) { |
Free forum by Nabble | Edit this page |