[ofbiz-framework] branch trunk updated (fe845e6 -> 4bab66e)
Locked
[ofbiz-framework] branch trunk updated (fe845e6 -> 4bab66e)
 
|
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from fe845e6 Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new a99cbb5 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new 4bab66e Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 53 +++++++++++++++++++++- .../org/apache/ofbiz/base/util/UtilValidate.java | 13 ++++++ .../template/macro/HtmlFormMacroLibrary.ftl | 4 +- 3 files changed, 67 insertions(+), 3 deletions(-) |
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping.
|
|
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit a99cbb53782cc5fd209184a2ef1031d150c43e0d Author: Jacques Le Roux <[hidden email]> AuthorDate: Wed Jun 9 10:51:34 2021 +0200 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. Steps to reproduce: 1. Turn off `sanitizer.enable` in owasp.properties 2. Create a WorkEffort entity with name as `<script>alert(1)</script>` 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort 4. Search for "Work Effort Name" which contains "script" Thanks: Xin Wang --- themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl index 22a912e..0c852d6 100644 --- a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl +++ b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl @@ -743,7 +743,7 @@ Parameter: delegatorName, String, optional - name of the delegator in context. data-dialog-url="${linkUrl}" <#if text?has_content>data-dialog-title="${text}"</#if> <#if linkStyle?has_content>class="${linkStyle}"</#if>> - <#if description?has_content>${description}</#if></a> + <#if description?has_content>${description?html}</#if></a> <#else> <a <#if linkStyle?has_content && (description?has_content || imgSrc?has_content)>class="${linkStyle}"</#if> href="${linkUrl}"<#if targetWindow?has_content> target="${targetWindow}"</#if> @@ -751,6 +751,6 @@ Parameter: delegatorName, String, optional - name of the delegator in context. <#if confirmation?has_content> data-confirm-message="${confirmation}"</#if> <#if id?has_content> id="${id}"</#if> <#if imgSrc?length == 0 && title?has_content> title="${title}"</#if>> - <#if imgSrc?has_content><img src="${imgSrc}" alt="${alternate}" title="${title}"/></#if>${description}</a> + <#if imgSrc?has_content><img src="${imgSrc}" alt="${alternate}" title="${title}"/></#if>${description?html}</a> </#if> </#macro> |
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 4bab66e5016c1dd758127bb9d5b5a4e136d03773 Author: Jacques Le Roux <[hidden email]> AuthorDate: Wed Jun 9 10:57:51 2021 +0200 Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) When trying to add a note to WorkEffort entity, I found that URL encoded characters are unescaped, which is not expected. e.g.: 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 2. Add a note with content: https://example.com/a%20link 3. After submission, it will turned to be: https://example.com/a link Thanks: Xin Wang for report and exchanges until solution I provided --- .../java/org/apache/ofbiz/base/util/UtilHttp.java | 53 +++++++++++++++++++++- .../org/apache/ofbiz/base/util/UtilValidate.java | 13 ++++++ 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java index addcca8..6f040b4 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java @@ -42,6 +42,7 @@ import java.nio.ByteBuffer; import java.nio.charset.Charset; import java.sql.Timestamp; import java.time.LocalDateTime; +import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -60,6 +61,8 @@ import java.util.StringTokenizer; import java.util.TimeZone; import java.util.function.Function; import java.util.function.Predicate; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -401,7 +404,30 @@ public final class UtilHttp { public static Map<String, Object> canonicalizeParameterMap(Map<String, Object> paramMap) { for (Map.Entry<String, Object> paramEntry : paramMap.entrySet()) { if (paramEntry.getValue() instanceof String) { - paramEntry.setValue(canonicalizeParameter((String) paramEntry.getValue())); + String paramEntries = (String) paramEntry.getValue(); + String[] stringValues = paramEntries.split(" "); + String params = ""; + // Handles textareas, see OFBIZ-12249 + if (stringValues.length > 0) { + for (String s : stringValues) { + // if the string contains only an URL beginning by http or ftp => no change to keep special chars + if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 4 || s.indexOf("://") == 3)) { + params = params + s + " " ; + } else if (UtilValidate.isUrl(s) && !s.isEmpty()) { + // if the string contains not only an URL => concatenate possible canonicalized before and after, w/o changing the URL + String url = extractUrls(s).get(0); // THere should be only 1 URL in a block, makes no sense else + int start = s.indexOf(url); + String after = (String) s.subSequence(start + url.length(), s.length()); + params = params + canonicalizeParameter((String) s.subSequence(0, start)) + url + canonicalizeParameter(after) + " "; + } else { + // Simple string to canonicalize + params = params + canonicalizeParameter(s) + " "; + } + } + paramEntry.setValue(params.trim()); + } else { + paramEntry.setValue(canonicalizeParameter(paramEntries)); + } } else if (paramEntry.getValue() instanceof Collection<?>) { List<String> newList = new LinkedList<>(); for (String listEntry : UtilGenerics.<Collection<String>>cast(paramEntry.getValue())) { @@ -1692,4 +1718,29 @@ public final class UtilHttp { public static String getRowSubmitPrefix() { return ROW_SUBMIT_PREFIX; } + + // From https://stackoverflow.com/questions/1806017/extracting-urls-from-a-text-document-using-java-regular-expressions/1806161#answer-1806161 + // If you need more Internet top-level domains: https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains + public static List<String> extractUrls(String input) { + List<String> result = new ArrayList<String>(); + + Pattern pattern = Pattern.compile( + "\\b(((ht|f)tp(s?)\\:\\/\\/|~\\/|\\/)|www.)" + + "(\\w+:\\w+@)?(([-\\w]+\\.)+(com|org|net|gov" + + "|mil|biz|info|mobi|name|aero|jobs|museum" + + "|travel|[a-z]{2}))(:[\\d]{1,5})?" + + "(((\\/([-\\w~!$+|.,=]|%[a-f\\d]{2})+)+|\\/)+|\\?|#)?" + + "((\\?([-\\w~!$+|.,*:]|%[a-f\\d{2}])+=?" + + "([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)" + + "(&(?:[-\\w~!$+|.,*:]|%[a-f\\d{2}])+=?" + + "([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)*)*" + + "(#([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)?\\b"); + + Matcher matcher = pattern.matcher(input); + while (matcher.find()) { + result.add(matcher.group()); + } + + return result; + } } diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java index 85db461..bf37d93 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilValidate.java @@ -23,6 +23,7 @@ import java.util.Collection; import java.util.Map; import org.apache.commons.validator.routines.EmailValidator; +import org.apache.commons.validator.routines.UrlValidator; import org.apache.ofbiz.base.lang.IsEmpty; import org.apache.ofbiz.entity.Delegator; import org.apache.ofbiz.entity.GenericEntityException; @@ -630,6 +631,18 @@ public final class UtilValidate { return s.indexOf("://") != -1; } + /** + * isValidUrl returns true if the string is a valid URL (using Commons UrlValidator) + * @param s String to validate + * @return true if s contains if the string is a valid URL (using Commons UrlValidator) + */ + public static boolean isValidUrl(String s) { + if (isEmpty(s)) { + return DEFAULT_EMPTY_OK; + } + return UrlValidator.getInstance().isValid(s); + } + /** isYear returns true if string s is a valid * Year number. Must be 2 or 4 digits only. * For Year 2000 compliance, you are advised |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |