Skip to content

Commit 357da7f

Browse files
committed
Improved: Check parameters passed in URLs (OFBIZ-13295)
Thanks to Nicolas, improves previous commits that did not handle multipart element Also while at it, adds a space after "process" in deniedWebShellTokens of security.properties. I stumbled upon it after trying to upload a file created by a Canon camera. Anyway the deniedWebShellTokens comment suggest that when it's necessary.
1 parent 1e47b60 commit 357da7f

4 files changed

Lines changed: 30 additions & 28 deletions

File tree

framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -65,16 +65,12 @@
6565
import java.util.stream.Stream;
6666

6767
import javax.net.ssl.SSLContext;
68-
import jakarta.servlet.http.HttpServletRequest;
69-
import jakarta.servlet.http.HttpServletResponse;
70-
import jakarta.servlet.http.HttpSession;
7168

7269
import org.apache.commons.fileupload2.core.DiskFileItem;
7370
import org.apache.commons.fileupload2.core.DiskFileItemFactory;
7471
import org.apache.commons.fileupload2.core.FileItem;
7572
import org.apache.commons.fileupload2.core.FileUploadException;
7673
import org.apache.commons.fileupload2.jakarta.JakartaServletFileUpload;
77-
7874
import org.apache.commons.lang.RandomStringUtils;
7975
import org.apache.http.NameValuePair;
8076
import org.apache.http.client.utils.URLEncodedUtils;
@@ -94,6 +90,10 @@
9490
import com.google.re2j.Matcher;
9591
import com.google.re2j.Pattern;
9692

93+
import jakarta.servlet.http.HttpServletRequest;
94+
import jakarta.servlet.http.HttpServletResponse;
95+
import jakarta.servlet.http.HttpSession;
96+
9797
/**
9898
* HttpUtil - Misc HTTP Utility Functions
9999
*/
@@ -230,7 +230,6 @@ public static Map<String, Object> getMultiPartParameterMap(HttpServletRequest re
230230
if (isMultiPart) {
231231
// create the progress listener and add it to the session
232232
String encoding = request.getCharacterEncoding();
233-
Charset charset = Charset.forName(encoding);
234233
JakartaServletFileUpload<DiskFileItem, DiskFileItemFactory> upload = UtilHttp.getServletFileUpload(request);
235234
FileUploadProgressListener listener = new FileUploadProgressListener();
236235
upload.setProgressListener(listener);

framework/common/src/main/java/org/apache/ofbiz/common/UrlServletHelper.java

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,14 +21,6 @@
2121
import java.io.IOException;
2222
import java.util.List;
2323

24-
import jakarta.servlet.RequestDispatcher;
25-
import jakarta.servlet.ServletContext;
26-
import jakarta.servlet.ServletException;
27-
import jakarta.servlet.ServletRequest;
28-
import jakarta.servlet.ServletResponse;
29-
import jakarta.servlet.http.HttpServletRequest;
30-
import jakarta.servlet.http.HttpServletResponse;
31-
3224
import org.apache.ofbiz.base.util.Debug;
3325
import org.apache.ofbiz.base.util.StringUtil;
3426
import org.apache.ofbiz.base.util.UtilValidate;
@@ -41,6 +33,14 @@
4133
import org.apache.ofbiz.webapp.WebAppUtil;
4234
import org.apache.ofbiz.webapp.website.WebSiteWorker;
4335

36+
import jakarta.servlet.RequestDispatcher;
37+
import jakarta.servlet.ServletContext;
38+
import jakarta.servlet.ServletException;
39+
import jakarta.servlet.ServletRequest;
40+
import jakarta.servlet.ServletResponse;
41+
import jakarta.servlet.http.HttpServletRequest;
42+
import jakarta.servlet.http.HttpServletResponse;
43+
4444
public final class UrlServletHelper {
4545

4646
private static final String MODULE = UrlServletHelper.class.getName();
@@ -50,6 +50,9 @@ private UrlServletHelper() { }
5050
public static void setRequestAttributes(ServletRequest request, Delegator delegator, ServletContext servletContext) {
5151
HttpServletRequest httpRequest = (HttpServletRequest) request;
5252
// check if multi tenant is enabled
53+
if (delegator == null) {
54+
delegator = WebAppUtil.getDelegator(servletContext);
55+
}
5356
boolean useMultitenant = EntityUtil.isMultiTenantEnabled();
5457
if (useMultitenant) {
5558
// get tenant delegator by domain name

framework/security/config/security.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -283,7 +283,7 @@ csvformat=CSVFormat.DEFAULT
283283
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
284284
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
285285
chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
286-
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
286+
python,perl ,/perl,ruby ,/ruby,process ,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
287287
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require(,gzdeflate,\
288288
execute,println,calc,touch,curl,base64, tcp ,4444,base32, tr , xxd ,bash, od ,|od ,printf,echo
289289

framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,8 @@
2424
import java.net.URLDecoder;
2525
import java.util.ArrayList;
2626
import java.util.Arrays;
27+
import java.util.Collection;
2728
import java.util.Collections;
28-
import java.util.LinkedList;
2929
import java.util.List;
3030
import java.util.Map;
3131
import java.util.Set;
@@ -37,9 +37,11 @@
3737
import org.apache.logging.log4j.ThreadContext;
3838
import org.apache.ofbiz.base.util.Debug;
3939
import org.apache.ofbiz.base.util.StringUtil;
40+
import org.apache.ofbiz.base.util.UtilGenerics;
4041
import org.apache.ofbiz.base.util.UtilHttp;
4142
import org.apache.ofbiz.base.util.UtilProperties;
4243
import org.apache.ofbiz.base.util.UtilValidate;
44+
import org.apache.ofbiz.common.UrlServletHelper;
4345
import org.apache.ofbiz.entity.GenericValue;
4446
import org.apache.ofbiz.security.SecuredFreemarker;
4547
import org.apache.ofbiz.security.SecuredUpload;
@@ -164,24 +166,24 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
164166
HttpSession session = req.getSession();
165167

166168
// Prevents stream exploitation
169+
UrlServletHelper.setRequestAttributes(req, null, req.getServletContext());
167170
Map<String, Object> parameters = UtilHttp.getParameterMap(req);
168171
boolean reject = false;
169172
if (!parameters.isEmpty()) {
170173
for (String key : parameters.keySet()) {
171174
Object object = parameters.get(key);
172-
if (object.getClass().equals(String.class)) {
173-
String val = (String) object;
174-
if (val.contains("<")) {
175+
if (object.getClass().equals(String.class)
176+
|| object instanceof Collection) {
177+
try {
178+
List<String> toCheck = object.getClass().equals(String.class)
179+
? List.of((String) object)
180+
: UtilGenerics.checkCollection(object, String.class);
181+
reject = toCheck.stream()
182+
.anyMatch(val -> val.contains("<"));
183+
} catch (IllegalArgumentException e) {
184+
Debug.logWarning(e, MODULE);
175185
reject = true;
176186
}
177-
} else {
178-
@SuppressWarnings("unchecked")
179-
LinkedList<String> vals = (LinkedList<String>) parameters.get(key);
180-
for (String aVal : vals) {
181-
if (aVal.contains("<")) {
182-
reject = true;
183-
}
184-
}
185187
}
186188
}
187189
if (reject) {
@@ -190,8 +192,6 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
190192
}
191193
}
192194

193-
194-
195195
// Check if we are told to redirect everything.
196196
if (redirectAll) {
197197
// little trick here so we don't loop on ourselves

0 commit comments

Comments
 (0)