Build: #2 was successful Scheduled with changes by Guus der Kinderen and cpetzka <31418387+cpetzka@users.noreply.github.com>
Code commits
Openfire (master)
-
cpetzka <31418387+cpetzka@users.noreply.github.com> 627415cddbf58448ff0cc884cf2616455380b3e1
update the german translation
- i18n/src/main/resources/openfire_i18n_de.properties (version 627415cddbf58448ff0cc884cf2616455380b3e1)
-
cpetzka <31418387+cpetzka@users.noreply.github.com> 17fdcecf0d42d0a637deac8061a934a67084e693
Fix that an empty string can not be inserted in ofgroupporp.propvalue
- distribution/src/database/openfire_oracle.sql (version 17fdcecf0d42d0a637deac8061a934a67084e693)
-
Guus der Kinderen dd2e5342a6a1d72b4e0bfe4e3f3810afd8271710
Fixed logged messages.
- xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version dd2e5342a6a1d72b4e0bfe4e3f3810afd8271710)
-
Guus der Kinderen 310e744d393a5c65bb65d06daea6bfc0c8b683a8
OF-1021: Verify JAR content
Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.
To further guard against malicous files being uploaded, this commit verifies that the uploaded JAR file contains a 'plugin.xml' entry.
The new functionality is controlled by two new properties:
- plugins.upload.pluginxml-check.enabled A boolean value that enables or disables the check (defaults to true).- i18n/src/main/resources/openfire_i18n.properties (version 310e744d393a5c65bb65d06daea6bfc0c8b683a8)
- xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version 310e744d393a5c65bb65d06daea6bfc0c8b683a8)
-
Guus der Kinderen a70e317e379962d1271853f0165bd4955d76813b
OF-1021: Verify magic bytes of uploaded plugins
Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.
To further guard against malicous files being uploaded, this commit verifies the magic bytes (the first few bytes) of the uploaded file.
The new functionality is controlled by two new properties:
- plugins.upload.magic-number-check.enabled A boolean value that enables or disables the check (defaults to true).
- plugins.upload.magic-number.values.expected-value A list of hex representations of valid magic byte sequences (defaults to "504B0304", "504B0506", "504B0708").- i18n/src/main/resources/openfire_i18n.properties (version a70e317e379962d1271853f0165bd4955d76813b)
- xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version a70e317e379962d1271853f0165bd4955d76813b)
- xmppserver/src/test/java/org/jivesoftware/openfire/container/PluginManagerTest.java (version a70e317e379962d1271853f0165bd4955d76813b)
- xmppserver/src/test/resources/hello.jar (version a70e317e379962d1271853f0165bd4955d76813b)
-
Guus der Kinderen 0d51cf961f467fff14f64b9ab3e70f9208aa54de
OF-1021: Verify content type of uploaded plugins
Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.
To further guard against malicous files being uploaded, this commit adds functionality to allow to verify the content type, as specified by the browser, of the uploaded file.
As a potential attacker is likely to be able to modify the reported content type. The added security value of this change is therefor not very signification. By default, this functionality is therefor disabled, to prevent valid use cased from being stopped by this.
The new functionality is controlled by two new properties:
- plugins.upload.content-type-check.enabled A boolean value that enables or disables the check (defaults to false).
- plugins.upload.content-type-check.expected-value Text value that is the expected content type (defaults to application/x-java-archive).- xmppserver/src/main/webapp/plugin-admin.jsp (version 0d51cf961f467fff14f64b9ab3e70f9208aa54de)