Skip to content

Commit a9a3237

Browse files
committed
Improved: Update allowed local file paths to enhance security
(cherry picked from commit f82bca8)
1 parent 3ddc596 commit a9a3237

1 file changed

Lines changed: 1 addition & 2 deletions

File tree

framework/security/config/security.properties

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -169,8 +169,7 @@ content.data.ofbiz.file.allowed.paths=applications/,themes/,plugins/,runtime/
169169
# -- Allowed directories for the LOCAL_FILE / LOCAL_FILE_BIN data resource types (absolute paths).
170170
# -- Comma-separated, no spaces after commas. Use ${ofbiz.home} as a portable placeholder.
171171
# -- Only files whose resolved canonical path starts with one of these entries will be served.
172-
# -- Set to empty to disable this check (NOT recommended).
173-
content.data.local.file.allowed.paths=${ofbiz.home}
172+
content.data.local.file.allowed.paths=${ofbiz.home}/runtime/tmp/
174173

175174
# -- Allowed hosts for the URL_RESOURCE data resource type (comma-separated host names or host:port values).
176175
# -- Both exact matches and subdomain matches are supported: "example.com" also permits "cdn.example.com".

0 commit comments

Comments
 (0)