Checkout
Jacques Le Roux
committed
on 14 Sep
"Applied fix from trunk for revision: 1866920"
------------------------------------------------------------------------
r1866920 | jleroux … Show more
"Applied fix from trunk for revision: 1866920"

------------------------------------------------------------------------

r1866920 | jleroux | 2019-09-14 10:19:18 +0200 (sam. 14 sept. 2019) | 18 lignes

Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile

(OFBIZ-11196)

These are not really path traversal issues.

We can't solve them using the traditional way to fix path traversal issues

(ie normalising path). Because Fetchlogs and ViewFile are actually reading

files and if you have the right to read these files then nothing will prevent

you to read them.

The problem is more what those requests are supposed to do.

Fetchlogs is supposed to read a log in the log dir

and ViewFile is supposed to read a file containing labels

(ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to

do. This is what is done in ViewFile and FetLogs Groovy files.

------------------------------------------------------------------------

Show less