Fixed: Avoid exploit using .. special name in request uri.

Before, a user could bypass webapp filter rules using `..` notation allowing to access to the complete docBase provided by tomcat. Example `w3m https://localhost:8443/partymgr/control/../a.txt` could be used to access `a.txt` file in partymgr webapp, even though `control` is needed to pass filter rules. Even if there is no possibility to remotely define files in docBase, this patch ensure that no exploit using `..` notation is possible.
apache · Jan 12, 2024 · d17d06f · d17d06f
1 parent 648c212
commit d17d06f
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -19,6 +19,8 @@
 package org.apache.ofbiz.webapp.control;
 
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
@@ -158,6 +160,13 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
                 }
             }
 
+            // normalize to remove ".." special name usage to bypass webapp filter
+            try {
+                uri = new URI(uri).normalize().toString();
+            } catch (URISyntaxException e) {
+                throw new RuntimeException(e);
+            }
+
             // Check if the requested URI is allowed.
             if (allowedPaths.stream().anyMatch(uri::startsWith)) {
                 try {