[ofbiz-framework] branch trunk updated (c164494 -> 100810f)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated (c164494 -> 100810f)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.


    from c164494  Fixed: Make locale available for DateFindField and DateTimeField macros (OFBIZ-12086)
     new 4481f37  Fixed: Secure the uploads (OFBIZ-12080)
     new b549b9a  Fixed: Label issue on List Companies page (OFBIZ-12023)
     new fdeedf2  Improved: Adds the HTML <input> accept Attribute in form widgets and Freemaker templates (OFBIZ-12049)
     new 100810f  Fixed: Secure the uploads (OFBIZ-12080)

The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 applications/accounting/widget/GlSetupForms.xml    |  8 +-
 .../content/template/website/WebSiteCMSContent.ftl | 19 ++++-
 .../datamodel/data/seed/ContentSeedData.xml        | 15 +++-
 framework/security/config/security.properties      |  2 +-
 .../org/apache/ofbiz/security/SecuredUpload.java   | 96 +++++++++++++++++-----
 5 files changed, 108 insertions(+), 32 deletions(-)

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 01/04: Fixed: Secure the uploads (OFBIZ-12080)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 4481f373ca45514c1e6fb86f1f1d2c6204f7a65a
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sun Dec 6 18:47:12 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
   
    Handles audio and video formats supported by Tika.
   
    Adds few new audio and video formats in seed data.
   
    AFAIK there are no ways to embed a webshell in an audio or video file. So I did
    not sophisticate the validation, just rely on Tika.
   
    I have also fixed bugs in SecuredUpload: in isValidSvgFile and
    isValidImageIncludingSvgFile
---
 .../datamodel/data/seed/ContentSeedData.xml        | 10 ++-
 .../org/apache/ofbiz/security/SecuredUpload.java   | 94 +++++++++++++++++-----
 2 files changed, 82 insertions(+), 22 deletions(-)

diff --git a/applications/datamodel/data/seed/ContentSeedData.xml b/applications/datamodel/data/seed/ContentSeedData.xml
index fcaa664..54472c1 100644
--- a/applications/datamodel/data/seed/ContentSeedData.xml
+++ b/applications/datamodel/data/seed/ContentSeedData.xml
@@ -405,10 +405,15 @@ under the License.
 
     <!-- audio mime types -->
     <MimeType mimeTypeId="audio/basic" description="Basic Audio"/>
-    <MimeType mimeTypeId="audio/mpeg" description="MPEG Audio"/>
+    <MimeType mimeTypeId="audio/mpeg" description="MP3 Audio"/>
+    <MimeType mimeTypeId="audio/mp4" description="MP4 Audio"/>
     <MimeType mimeTypeId="audio/x-ms-wax" description="WAX Audio"/>
-    <MimeType mimeTypeId="audio/ogg" description="OGG Audio"/>
     <MimeType mimeTypeId="audio/wav" description="WAV Audio"/>
+    <MimeType mimeTypeId="audio/ogg" description="OGG Audio"/>
+    <MimeType mimeTypeId="audio/x-ogg" description="OGG Audio"/>
+    <MimeType mimeTypeId="audio/vorbis" description="Vorbis Audio"/>
+    <MimeType mimeTypeId="audio/x-flac" description="FLAC Audio"/>
+    <MimeType mimeTypeId="audio/flac" description="FLAC Audio"/>
 
     <!-- image mime types -->
     <MimeType mimeTypeId="image/jpeg" description="JPEG/JPG Image"/>
@@ -465,6 +470,7 @@ under the License.
     <MimeType mimeTypeId="video/x-ms-wm" description="WM Video"/>
     <MimeType mimeTypeId="video/x-ms-wmv" description="WMV Video"/>
     <MimeType mimeTypeId="video/x-ms-wmx" description="WMX Video"/>
+    <MimeType mimeTypeId="video/3gpp" description="3GP Mobile Video"/>
 
     <FileExtension fileExtensionId="asf" mimeTypeId="video/x-ms-asf"/>
     <FileExtension fileExtensionId="asx" mimeTypeId="video/x-ms-asf"/>
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 4650dfd..e233228 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -151,15 +151,23 @@ public class SecuredUpload {
             }
             break;
 
-        // case "Audio": TODO if needed
-        // break;
-        // case "Video": TODO if needed
-        // break;
+        case "Audio":
+            if (isValidAudioFile(fileTocheck)) {
+                return true;
+            }
+            break;
+        case "Video":
+            if (isValidVideoFile(fileTocheck)) {
+                return true;
+            }
+            break;
 
         default: // All
             if (isValidTextFile(fileTocheck)
                     || isValidImageIncludingSvgFile(fileTocheck)
                     || isValidCompressedFile(fileTocheck, delegator)
+                    || isValidAudioFile(fileTocheck)
+                    || isValidVideoFile(fileTocheck)
                     || isValidPdfFile(fileTocheck)) {
                 return true;
             }
@@ -299,14 +307,7 @@ public class SecuredUpload {
      * @throws IOException ImageReadException
      */
     private static boolean isValidImageIncludingSvgFile(String fileName) throws ImageReadException, IOException {
-        Path filePath = Paths.get(fileName);
-        byte[] bytesFromFile = Files.readAllBytes(filePath);
-        ImageFormat imageFormat = Imaging.guessFormat(bytesFromFile);
-        return imageFormat.equals(ImageFormats.PNG)
-                || imageFormat.equals(ImageFormats.GIF)
-                || imageFormat.equals(ImageFormats.TIFF)
-                || imageFormat.equals(ImageFormats.JPEG)
-                || isValidSvgFile(fileName);
+        return isValidImageFile(fileName) || isValidSvgFile(fileName);
     }
 
     /**
@@ -316,15 +317,19 @@ public class SecuredUpload {
      * @throws IOException
      */
     private static boolean isValidSvgFile(String fileName) throws IOException {
-        Path filePath = Paths.get(fileName);
-        String parser = XMLResourceDescriptor.getXMLParserClassName();
-        SAXSVGDocumentFactory f = new SAXSVGDocumentFactory(parser);
-        try {
-            f.createDocument(filePath.toUri().toString());
-        } catch (IOException e) {
-            return false;
+        String mimeType = getMimeTypeFromFileName(fileName);
+        if ("image/svg+xml".equals(mimeType)) {
+            Path filePath = Paths.get(fileName);
+            String parser = XMLResourceDescriptor.getXMLParserClassName();
+            SAXSVGDocumentFactory f = new SAXSVGDocumentFactory(parser);
+            try {
+                f.createDocument(filePath.toUri().toString());
+            } catch (IOException e) {
+                return false;
+            }
+            return isValidTextFile(fileName); // Validate content to prevent webshell
         }
-        return isValidTextFile(fileName);
+        return false;
     }
 
     /**
@@ -501,6 +506,55 @@ public class SecuredUpload {
     }
 
     /**
+     * Is this a valid Audio file?
+     * @param fileName must be an UTF-8 encoded text file
+     * @return true if it's a valid Audio file?
+     * @throws IOException
+     */
+    private static boolean isValidAudioFile(String fileName) throws IOException {
+        String mimeType = getMimeTypeFromFileName(fileName);
+        if ("audio/basic".equals(mimeType)
+                || "audio/wav".equals(mimeType)
+                || "audio/x-ms-wax".equals(mimeType)
+                || "audio/mpeg".equals(mimeType)
+                || "audio/mp4".equals(mimeType)
+                || "audio/ogg".equals(mimeType)
+                || "audio/vorbis".equals(mimeType)
+                || "audio/x-ogg".equals(mimeType)
+                || "audio/flac".equals(mimeType)
+                || "audio/x-flac".equals(mimeType)) {
+            return true;
+        }
+        Debug.logError("The file" + fileName + " is not a valid audio file, for security reason it's not accepted :", MODULE);
+        return false;
+    }
+
+    /**
+     * Is this a valid Audio file?
+     * @param fileName must be an UTF-8 encoded text file
+     * @return true if it's a valid Audio file?
+     * @throws IOException
+     */
+    private static boolean isValidVideoFile(String fileName) throws IOException {
+        String mimeType = getMimeTypeFromFileName(fileName);
+        if ("video/avi".equals(mimeType)
+                || "video/mpeg".equals(mimeType)
+                || "video/mp4".equals(mimeType)
+                || "video/quicktime".equals(mimeType)
+                || "video/3gpp".equals(mimeType)
+                || "video/x-ms-asf".equals(mimeType)
+                || "video/x-flv".equals(mimeType)
+                || "video/x-ms-wvx".equals(mimeType)
+                || "video/x-ms-wm".equals(mimeType)
+                || "video/x-ms-wmv".equals(mimeType)
+                || "video/x-ms-wmx".equals(mimeType)) {
+            return true;
+        }
+        Debug.logError("The file" + fileName + " is not a valid video file, for security reason it's not accepted :", MODULE);
+        return false;
+    }
+
+    /**
      * Does this text file contains a Freemarker Server-Side Template Injection (SSTI) using freemarker.template.utility.Execute? Etc.
      * @param fileName must be an UTF-8 encoded text file
      * @return true if the text file does not contains a Freemarker SSTI

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 02/04: Fixed: Label issue on List Companies page (OFBIZ-12023)

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit b549b9aa1947981d7ac9040efb9bc9ce95354e74
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sun Dec 6 19:06:26 2020 +0100

    Fixed: Label issue on List Companies page (OFBIZ-12023)
   
    Navigate to URL: 'accounting/control/ListCompanies'
    Under the companies list, the 2nd column has button for account
    The System is not showing proper label in French.
   
    This issue is occurring due to the hyperlink title is not supporting character
    encoding for special characters. Please track progress under OFBIZ-12026.
---
 applications/accounting/widget/GlSetupForms.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/applications/accounting/widget/GlSetupForms.xml b/applications/accounting/widget/GlSetupForms.xml
index f4a66e3..6b3ebf6 100644
--- a/applications/accounting/widget/GlSetupForms.xml
+++ b/applications/accounting/widget/GlSetupForms.xml
@@ -18,7 +18,7 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://ofbiz.apache.org/Widget-Form" xsi:schemaLocation="http://ofbiz.apache.org/Widget-Form http://ofbiz.apache.org/dtds/widget-form.xsd">
 
     <form name="ListCompanies" type="list" title="Internal Organizations" list-name="parties"
@@ -30,7 +30,7 @@ under the License.
             </hyperlink>
         </field>
         <field name="accounting" title=" " use-when="hasBasicPermission" widget-style="buttontext">
-            <hyperlink description="${uiLabelMap.AccountingAccounting}" target="PartyAccountsSummary">
+            <hyperlink description="${uiLabelMap.AccountingAccounting}" target="PartyAccountsSummary" target-type="plain">
                 <parameter param-name="organizationPartyId" from-field="partyId"/>
             </hyperlink>
         </field>
@@ -375,7 +375,7 @@ under the License.
         </field>
         <field name="errorGlJournalId" tooltip="${groovy: import org.apache.ofbiz.base.util.UtilProperties;
             if((partyAcctgPreference==null&amp;&amp;aggregatedPartyAcctgPreference!= null&amp;&amp;aggregatedPartyAcctgPreference.get('errorGlJournalId')!=null) ||
-            (partyAcctgPreference!=null&amp;&amp;partyAcctgPreference.get('errorGlJournalId')==null&amp;&amp;aggregatedPartyAcctgPreference!= null&amp;&amp;aggregatedPartyAcctgPreference.get('errorGlJournalId')!=null))return
+            (partyAcctgPreference!=null&amp;&amp;partyAcctgPreference.get('errorGlJournalId')==null&amp;&amp;aggregatedPartyAcctgPreference!= null&amp;&amp;aggregatedPartyAcctgPreference.get('errorGlJournalId')!=null))return
             (UtilProperties.getMessage('AccountingUiLabels', 'AccountingInheritedValue', locale))}">
             <drop-down allow-empty="true">
                 <entity-options entity-name="GlJournal" key-field-name="glJournalId" description="${glJournalName} [${glJournalId}]">
@@ -1188,7 +1188,7 @@ under the License.
         <field name="glAccountClassId"><display-entity entity-name="GlAccountClass" key-field-name="glAccountClassId"/></field>
         <field name="glResourceTypeId"><display-entity entity-name="GlResourceType" key-field-name="glResourceTypeId"/></field>
         <field name="glXbrlClassId"><display-entity entity-name="GlXbrlClass" key-field-name="glXbrlClassId"/></field>
-        <field name="parentGlAccountId"><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${parentGlAccountId}"/></field>            
+        <field name="parentGlAccountId"><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${parentGlAccountId}"/></field>
         <field name="accountCode" ><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${accountCode}"/></field>
         <field name="accountName" ><display-entity entity-name="GlAccount" key-field-name="glAccountId" description="${accountName}"/></field>
         <field name="description"><display description="${description}"/></field>

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 03/04: Improved: Adds the HTML <input> accept Attribute in form widgets and Freemaker templates (OFBIZ-12049)

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit fdeedf23ee8fb9d9eec45925f044252be153c7ff
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Dec 7 15:08:55 2020 +0100

    Improved: Adds the HTML <input> accept Attribute in form widgets and Freemaker templates (OFBIZ-12049)
   
    As explained at
    https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/accept
    this is only an help for the users (ie not a security feature), but an
    appreciable one easy to implement.
   
    Here we start with website/WebSiteCMSContent.ftl
    Also add some missing file extensions
---
 .../content/template/website/WebSiteCMSContent.ftl    | 19 +++++++++++++++----
 applications/datamodel/data/seed/ContentSeedData.xml  |  5 +++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/applications/content/template/website/WebSiteCMSContent.ftl b/applications/content/template/website/WebSiteCMSContent.ftl
index 67b3df9..7a81a5c 100644
--- a/applications/content/template/website/WebSiteCMSContent.ftl
+++ b/applications/content/template/website/WebSiteCMSContent.ftl
@@ -333,7 +333,18 @@
               <td class="label">${uiLabelMap.CommonUpload}</td>
               <td>
                 <input type="hidden" name="isUploadObject" value="Y"/>
-                <input type="file" name="uploadedFile" size="30"/>
+                <#if dataResourceTypeId == 'IMAGE_OBJECT'>
+                    <input type="file" name="uploadedFile" size="30" accept=".png,.gif,.jpg,.jpeg,.tiff,.tif"/>
+                </#if>
+                <#if dataResourceTypeId == 'VIDEO_OBJECT'>
+                    <input type="file" name="uploadedFile" size="30" accept=".mpeg,.mpg,.mp4,.m4v,.mov,.qt,.asf,.avi,.asx,.asf,.flv,.wvx,.wm,.wmv,.wmx,.avi"/>
+                </#if>
+                <#if dataResourceTypeId == 'AUDIO_OBJECT'>
+                    <input type="file" name="uploadedFile" size="30" accept=".mp3,.ogg,.vorbis,.flac,.wav"/>
+                </#if>
+                <#if dataResourceTypeId == 'OTHER_OBJECT' || dataResourceTypeId == 'LOCAL_FILE' || dataResourceTypeId == 'OFBIZ_FILE' >
+                    <input type="file" name="uploadedFile" size="30"/>
+                </#if>
               </td>
             </tr>
           <#elseif (dataResourceTypeId == 'URL_RESOURCE')>
@@ -354,9 +365,9 @@
             <tr>
               <td colspan="2">
                 <div id="editorcontainer" class="nocolumns">
-                    <textarea name="textData" id="cmseditor" style="margin: 0; width: 100%; border: 1px solid black;">                    
+                    <textarea name="textData" id="cmseditor" style="margin: 0; width: 100%; border: 1px solid black;">
                         <#if (dataText?has_content)>
-                          ${StringUtil.wrapString(dataText.textData!)}
+                          ${StringUtil.wrapString(dataText.textData!)}
                         </#if>
                     </textarea>
                 </div>
@@ -370,4 +381,4 @@
           </tr>
         </table>
     </form>
-</#if>
\ No newline at end of file
+</#if>
diff --git a/applications/datamodel/data/seed/ContentSeedData.xml b/applications/datamodel/data/seed/ContentSeedData.xml
index 54472c1..aae7cb3 100644
--- a/applications/datamodel/data/seed/ContentSeedData.xml
+++ b/applications/datamodel/data/seed/ContentSeedData.xml
@@ -509,8 +509,13 @@ under the License.
     <FileExtension fileExtensionId="vcf" mimeTypeId="text/x-vcard"/>
     <FileExtension fileExtensionId="wav" mimeTypeId="audio/wav"/>
     <FileExtension fileExtensionId="mpeg" mimeTypeId="audio/mpeg"/>
+    <FileExtension fileExtensionId="mp3" mimeTypeId="audio/mpeg"/>
+    <FileExtension fileExtensionId="mp4" mimeTypeId="audio/mpeg"/>
     <FileExtension fileExtensionId="ogg" mimeTypeId="audio/ogg"/>
+    <FileExtension fileExtensionId="flac" mimeTypeId="audio/flac"/>
+    <FileExtension fileExtensionId="vorbis" mimeTypeId="audio/ogg"/>
     <FileExtension fileExtensionId="dflt" mimeTypeId="application/octet-stream"/>
+    <FileExtension fileExtensionId="3gp" mimeTypeId="video/3gpp"/>
     
 
     <!-- Registered MIME Types:

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 04/04: Fixed: Secure the uploads (OFBIZ-12080)

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 100810faeb603183643734f5efbec52e2398d7bd
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Dec 7 19:48:36 2020 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
   
    Adds audio and video as supported formats
---
 framework/security/config/security.properties                           | 2 +-
 .../security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index c904be3..43ede04 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -200,7 +200,7 @@ csrf.defense.strategy=
 templateClassResolver=
 
 
-#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF and ZIP
+#-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
 #--
 #-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
 #-- They can be handled by custom projects using  https://github.com/righettod/document-upload-protection:
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index e233228..0751067 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -88,7 +88,7 @@ public class SecuredUpload {
     // https://en.wikipedia.org/wiki/File_format
     // https://en.wikipedia.org/wiki/List_of_file_signatures
     // See also information in security.properties:
-    // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF and ZIP
+    // Line #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
 
     private static final String MODULE = SecuredUpload.class.getName();