[ofbiz-framework] 02/02: Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)

Wed, 28 Jul 2021 06:08:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

nmalin pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 5944749ee03d0dc1399903e2cb48d82fed2063f9
Author: Nicolas Malin <nicolas.ma...@nereide.fr>
AuthorDate: Wed Jul 28 14:32:36 2021 +0200

    Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
    
    Backport e4919d16ca33face162defb0e3a07373a8f9f374 from trunk
    
    Removes the localhost (and 127.0.0.1) OOTB.
    Allows to use it through a "multi-property" (list) in security.properties.
---
 .../java/org/apache/ofbiz/base/util/UtilHttp.java  | 37 ++++++++++++++++++----
 framework/security/config/security.properties      |  6 +++-
 2 files changed, 35 insertions(+), 8 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index 56c4e35..cdcbfb7 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -398,20 +398,20 @@ public final class UtilHttp {
     }
 
     public static Map<String, Object> canonicalizeParameterMap(Map<String, 
Object> paramMap) {
-        for (Map.Entry<String, Object> paramEntry: paramMap.entrySet()) {
+        for (Map.Entry<String, Object> paramEntry : paramMap.entrySet()) {
             if (paramEntry.getValue() instanceof String) {
                 String paramEntries = (String) paramEntry.getValue();
                 String[] stringValues = paramEntries.split(" ");
                 String params = "";
                 // Handles textareas, see OFBIZ-12249
-                if (stringValues.length > 0) {
+                if (stringValues.length > 0 && 
!paramEntry.getKey().equals("DUMMYPAGE")) {
                     for (String s : stringValues) {
                         // if the string contains only an URL beginning by 
http or ftp => no change to keep special chars
                         if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 
4 || s.indexOf("://") == 3)) {
-                            params = params + s + " " ;
+                            params = params + s + " ";
                         } else if (UtilValidate.isUrl(s) && !s.isEmpty()) {
                             // if the string contains not only an URL => 
concatenate possible canonicalized before and after, w/o changing the URL
-                            String url = extractUrls(s).get(0); // THere 
should be only 1 URL in a block, makes no sense else
+                            String url = extractUrls(s).get(0); // There 
should be only 1 URL in a block, makes no sense else
                             int start = s.indexOf(url);
                             String after = (String) s.subSequence(start + 
url.length(), s.length());
                             params = params + canonicalizeParameter((String) 
s.subSequence(0, start)) + url + canonicalizeParameter(after) + " ";
@@ -1727,11 +1727,34 @@ public final class UtilHttp {
                         "([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)*)*" +
                         "(#([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)?\\b");
 
-        java.util.regex.Matcher matcher = pattern.matcher(input);
-        while (matcher.find()) {
-            result.add(matcher.group());
+        List<String> allowedProtocols = getAllowedProtocols();
+        for (String protocol : allowedProtocols) {
+            if (input.contains(protocol)) {
+                result.add(input);
+            }
+        }
+
+        if (result.isEmpty()) {
+            java.util.regex.Matcher matcher = pattern.matcher(input);
+            while (matcher.find()) {
+                result.add(matcher.group());
+            }
         }
 
         return result;
     }
+
+    private static List<String> getAllowedProtocols() {
+        List<String> allowedProtocolList = new LinkedList<>();
+        allowedProtocolList.add("component://");
+        String allowedProtocols = UtilProperties.getPropertyValue("security", 
"allowedProtocols");
+        if (UtilValidate.isNotEmpty(allowedProtocols)) {
+            List<String> allowedProtocolsList = 
StringUtil.split(allowedProtocols, ",");
+            for (String protocol : allowedProtocolsList) {
+                allowedProtocolList.add(protocol);
+            }
+        }
+        return allowedProtocolList;
+    }
+
 }
diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 6ee20ea..6bbdda1 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -198,4 +198,8 @@ allowAllUploads=
 
 #-- uri used for login (cf jira OFBIZ-12047)
 #-- it's a list, each uri should be separated by comma, without space
-login.uris=login
\ No newline at end of file
+login.uris=login
+
+#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can 
uncomment the allowedProtocols property, here given as an example
+#-- You may also put other protocols you want to use, instead or with those
+allowedProtocols=localhost,127.0.0.1

Reply via email to