OFBiz › OFBiz - Commits

[ofbiz-framework] branch trunk updated (ba548f6 -> ba707d4)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

4 messages Options

jleroux@apache.org

[ofbiz-framework] branch trunk updated (ba548f6 -> ba707d4)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.

from ba548f6 Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk Because of GitHub message on PR56: This branch cannot be rebased due to conflicts
new e0f0d52 Fixed: Prevent Host Header Injection (CVE-2019-12425)
new 05354b7 Improved: prevent [rawtypes] found raw type: List at RequestHandler.java:89
new ba707d4 Implemented: POC for CSRF Token (OFBIZ-11306)

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

Summary of changes:
.../src/main/java/org/apache/ofbiz/base/util/UtilMisc.java | 13 +++++++++++++
framework/security/config/security.properties | 13 ++++++++++---
.../src/main/java/org/apache/ofbiz/security/CsrfUtil.java | 2 +-
.../org/apache/ofbiz/webapp/control/RequestHandler.java | 11 ++++++++++-
4 files changed, 34 insertions(+), 5 deletions(-)

jleroux@apache.org

[ofbiz-framework] 01/03: Fixed: Prevent Host Header Injection (CVE-2019-12425)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit e0f0d5271a0443fe97fe11368df327e2c734604a
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Apr 4 19:32:02 2020 +0200

Fixed: Prevent Host Header Injection (CVE-2019-12425)

(OFBIZ-11583)
---
.../src/main/java/org/apache/ofbiz/base/util/UtilMisc.java | 13 +++++++++++++
framework/security/config/security.properties | 4 ++++
.../org/apache/ofbiz/webapp/control/RequestHandler.java | 9 +++++++++
3 files changed, 26 insertions(+)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
index a1b703e..644bcf6 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java
@@ -604,6 +604,19 @@ public final class UtilMisc {
return LocaleHolder.availableLocaleList;
}

+ /** List of domains or IP addresses to be checked to prevent Host Header Injection,
+ * no spaces after commas,no wildcard, can be extended of course...
+ * @return List of domains or IP addresses to be checked to prevent Host Header Injection,
+ */
+ public static List<String> getHostHeadersAllowed() {
+ String hostHeadersAllowedString = UtilProperties.getPropertyValue("security", "host-headers-allowed", "localhost");
+ List<String> hostHeadersAllowed = null;
+ if (UtilValidate.isNotEmpty(hostHeadersAllowedString)) {
+ hostHeadersAllowed = StringUtil.split(hostHeadersAllowedString, ",");
+ }
+ return Collections.unmodifiableList(hostHeadersAllowed);
+ }
+
/** @deprecated use Thread.sleep() */
@Deprecated
public static void staticWait(long timeout) throws InterruptedException {
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index e019061..d71f7db 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -152,6 +152,10 @@ security.internal.sso.enabled=false
# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
security.token.key=security.token.key

+# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
+# -- no spaces after commas,no wildcard, can be extended of course...
+host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+
# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
SameSiteCookieAttribute=

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index b18fa8d..a6075a8 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -86,6 +86,7 @@ public class RequestHandler {
private final URL controllerConfigURL;
private final boolean trackServerHit;
private final boolean trackVisit;
+ private final List hostHeadersAllowed;
private ControllerConfig ccfg;

public static RequestHandler getRequestHandler(ServletContext servletContext) {
@@ -111,6 +112,9 @@ public class RequestHandler {

this.trackServerHit = !"false".equalsIgnoreCase(context.getInitParameter("track-serverhit"));
this.trackVisit = !"false".equalsIgnoreCase(context.getInitParameter("track-visit"));
+
+ hostHeadersAllowed = UtilMisc.getHostHeadersAllowed();
+
}

public ConfigXMLReader.ControllerConfig getControllerConfig() {
@@ -209,6 +213,11 @@ public class RequestHandler {
public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {

+ if (!hostHeadersAllowed.contains(request.getServerName())) {
+ Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module);
+ throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+ }
+
final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
"requestHandler", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
long startTime = System.currentTimeMillis();

jleroux@apache.org

[ofbiz-framework] 02/03: Improved: prevent [rawtypes] found raw type: List at RequestHandler.java:89

In reply to this post by jleroux@apache.org

jleroux@apache.org

[ofbiz-framework] 03/03: Implemented: POC for CSRF Token (OFBIZ-11306)

In reply to this post by jleroux@apache.org