This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 9a0bda0 Fixed: Server-Side Template Injection using Static
(OFBIZ-11871)
9a0bda0 is described below
commit 9a0bda00f818557f24cd22d404221791dd3601c2
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Aug 3 10:43:56 2020 +0200
Fixed: Server-Side Template Injection using Static (OFBIZ-11871)
Thanks to Alvaro's explanations, the problem was in MacroFormRenderer
where, for
lookups, we retrieve _LAST_VIEW_NAME_ as a parameter without encoding it.
Got hard conflicts, all done by hand.
Thanks: Alvaro for advice
---
.../java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
index 33cd6eb..cd0465f 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
+import java.net.URLEncoder;
import java.rmi.server.UID;
import java.sql.Timestamp;
import java.util.HashSet;
@@ -2211,6 +2212,7 @@ public final class MacroFormRenderer implements
FormStringRenderer {
if (UtilValidate.isEmpty(lastViewName)) {
lastViewName = "";
}
+ lastViewName = URLEncoder.encode(lastViewName, "UTF-8");
String tabindex = modelFormField.getTabindex();
StringWriter sr = new StringWriter();
sr.append("<@renderLookupField ");
