Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Handles Base64 encoded reverse shells Conflicts handled by hand
apache · Oct 23, 2024 · 2a60c0b · 2a60c0b
1 parent cd84c69
commit 2a60c0b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
@@ -240,7 +240,7 @@ deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form
                      chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
                      python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
                      ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
-                     execute,println,calc,touch,calculate,curl
+                     execute,println,calc,touch,calculate,curl,base64
 
 #-- Max line length for uploaded files, by default 10000
 maxLineLength=

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -22,6 +22,8 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
+import java.util.Base64;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -37,6 +39,7 @@
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.entity.GenericValue;
+import org.apache.ofbiz.security.SecuredUpload;
 import org.apache.ofbiz.security.SecurityUtil;
 
 /*
@@ -137,14 +140,18 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
             // Reject wrong URLs
             if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
-                String queryString = httpRequest.getQueryString();
-                if (queryString != null) {
-                    queryString = URLDecoder.decode(queryString, "UTF-8");
-                    if (UtilValidate.isUrl(queryString)) {
-                        Debug.logError("For security reason this URL is not accepted", module);
-                        throw new RuntimeException("For security reason this URL is not accepted");
-                    }
+            String queryString = httpRequest.getQueryString();
+            if (queryString != null) {
+                queryString = URLDecoder.decode(queryString, "UTF-8");
+                if (UtilValidate.isUrl(queryString)
+                        || !SecuredUpload.isValidText(queryString, Collections.emptyList())
+                        || !SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(), Collections.emptyList())
+                        || !SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(), Collections.emptyList())
+                        || !SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(), Collections.emptyList())) { // ...
+                    Debug.logError("For security reason this URL is not accepted", module);
+                    throw new RuntimeException("For security reason this URL is not accepted");
                 }
+            }
 
                 try {
                     String url = new URI(((HttpServletRequest) request).getRequestURL().toString())