OFBiz OFBiz - Commits

svn commit: r1708275 - in /ofbiz/branches/release14.12: ./ applications/content/config/ applications/content/src/org/ofbiz/content/content/ framework/base/lib/ specialpurpose/cmssite/data/

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1708275 - in /ofbiz/branches/release14.12: ./ applications/content/config/ applications/content/src/org/ofbiz/content/content/ framework/base/lib/ specialpurpose/cmssite/data/

jleroux@apache.org
Author: jleroux
Date: Tue Oct 13 00:45:31 2015
New Revision: 1708275

URL: http://svn.apache.org/viewvc?rev=1708275&view=rev
Log:
"Applied fix from trunk for revision: 1708274  " (handled conflicts on .classpath by hand)
------------------------------------------------------------------------
r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1 ligne

Fix for ContentWorker at OFBIZ-6669. For that I have added owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property in content.properties with some explanations. The reason I put this property is because the sanitizer does some (safe) changes which might be unwanted in a context where you are "sure" no one can inject/exploit your DB, see the JIra issue for details. Note that this does not affect the *ContentWrapper.java classes where we use OWASP encoding and not sanitizer. The reason we need the sanitizer here is because we are no only handling content but also HTML code...
------------------------------------------------------------------------


Added:
    ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar
      - copied unchanged from r1708274, ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar
Modified:
    ofbiz/branches/release14.12/   (props changed)
    ofbiz/branches/release14.12/.classpath
    ofbiz/branches/release14.12/LICENSE
    ofbiz/branches/release14.12/applications/content/config/content.properties
    ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
    ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml

Propchange: ofbiz/branches/release14.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Oct 13 00:45:31 2015
@@ -8,4 +8,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
 77,1706591,1706694,1707837,1707857
+/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
 77,1706591,1706694,1707837,1707857,1708274

Modified: ofbiz/branches/release14.12/.classpath
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff
==============================================================================
--- ofbiz/branches/release14.12/.classpath (original)
+++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015
@@ -41,6 +41,7 @@
     <classpathentry kind="lib" path="framework/base/lib/log4j-api-2.3.jar"/>
     <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/>
     <classpathentry kind="lib" path="framework/base/lib/nekohtml-1.9.16.jar"/>
+    <classpathentry kind="lib" path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/>
     <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/>
     <classpathentry kind="lib" path="framework/base/lib/resolver-2.9.1.jar"/>
     <classpathentry kind="lib" path="framework/base/lib/serializer-2.9.1.jar"/>

Modified: ofbiz/branches/release14.12/LICENSE
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff
==============================================================================
--- ofbiz/branches/release14.12/LICENSE (original)
+++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015
@@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations
 framework/base/lib/j2eespecs/el-api-2.2.jar
 framework/base/lib/j2eespecs/jsp-api-2.2.jar
 framework/base/lib/j2eespecs/servlet-api-3.0.jar
+framework/base/lib/owasp-java-html-sanitizer-r239.jar
 framework/base/lib/scripting/bsf-2.4.0.jar
 framework/base/lib/scripting/jakarta-oro-2.0.8.jar
 framework/base/lib/scripting/groovy-all-2.2.1.jar

Modified: ofbiz/branches/release14.12/applications/content/config/content.properties
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/content/config/content.properties (original)
+++ ofbiz/branches/release14.12/applications/content/config/content.properties Tue Oct 13 00:45:31 2015
@@ -35,3 +35,7 @@ content.upload.always.local.file=true
 
 # content output folder (relative to ofbiz.home)
 content.output.path=runtime/output
+
+#Should we sanitize generic content by default (specific contents - order, party, category, product, configured product, product promo and work effort - are always encoded)
+# This has a slightly impact on the code rendered, see . True By default!
+content.sanitize=true

Modified: ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java (original)
+++ ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java Tue Oct 13 00:45:31 2015
@@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity
 import org.ofbiz.entity.condition.EntityOperator;
 import org.ofbiz.entity.util.EntityQuery;
 import org.ofbiz.entity.util.EntityUtil;
+import org.ofbiz.entity.util.EntityUtilProperties;
 import org.ofbiz.minilang.MiniLangException;
 import org.ofbiz.minilang.SimpleMapProcessor;
 import org.ofbiz.service.DispatchContext;
@@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE
 import org.ofbiz.service.LocalDispatcher;
 import org.ofbiz.service.ModelService;
 import org.ofbiz.service.ServiceUtil;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -335,7 +338,23 @@ public class ContentWorker implements or
             Locale locale, String mimeTypeId, boolean cache) throws GeneralException, IOException {
         Writer writer = new StringWriter();
         renderContentAsText(dispatcher, delegator, contentId, writer, templateContext, locale, mimeTypeId, null, null, cache);
-        return writer.toString();
+        String rendered = writer.toString();
+        // According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
+        // Normally head should be protected by X-XSS-Protection Response Header by default
+        if (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties", "content.sanitize", "true", delegator)
+                && (rendered.contains("<script>")
+                || rendered.contains("<!--")
+                || rendered.contains("<div")
+                || rendered.contains("<style>")
+                || rendered.contains("<span")
+                || rendered.contains("<input")
+                || rendered.contains("<input")
+                || rendered.contains("<iframe")
+                || rendered.contains("<a"))) {
+            PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
+            rendered = sanitizer.sanitize(rendered);
+        }
+        return rendered;
     }
 
     public static String renderContentAsText(LocalDispatcher dispatcher, Delegator delegator, String contentId, Appendable out,

Modified: ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff
==============================================================================
--- ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml (original)
+++ ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml Tue Oct 13 00:45:31 2015
@@ -78,7 +78,7 @@ under the License.
               <p>
               This is a site to demonstrate the CMS capabilities of OFBiz. Its basic function is the editing of website text
               inside a browser. If you want to edit the text you are reading now, logon to the backend system, select the content component
-              click on 'cmssite' in the website list and ten click on the 'cms' button. There you see on the left hand side the tree of this website.
+              click on 'cmssite' in the website list and then click on the 'cms' button. There you see on the left hand side the tree of this website.
               If you click on 'homepage' then you can edit the content of this page at the box in the r
               </p>
               <p>


Free forum by Nabble Edit this page