[OFBIZ-12794] Disallow string concatenation in uploaded files - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 22.01.01
Fix Version/s: 22.01.01
Component/s: framework/security
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

An external security reporter brought to our attention that a signed up user could upload a webshell using string concatenation. Of course there is no reason for a signed up user to upload a webshell. And anyway we don't create CVEs for signed up users trying our security.

Nevertheless we have decided to fix this possibility while allowing to bypass it using a new security property. The later can be usefull when a file must contain a string concatenation, images files, seen as encoded texts, come to mind.

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Apr/23 08:44

Updated:: 08/Apr/23 09:36

Resolved:: 08/Apr/23 09:36