This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 8e8ef4c Fixed: post-auth Remote Code Execution Vulnerability
(OFBIZ-12332)
8e8ef4c is described below
commit 8e8ef4c9dcd2c2a0953aeb401eaa3f9c8a262292
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Oct 8 19:31:28 2021 +0200
Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
Fixes the "eternal" (for R17 and R18 ;) bug about MODULE (trunk) vs module
---
.../org/apache/ofbiz/webapp/control/ContextFilter.java | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
index 46cf063..6edd2aa 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
@@ -97,7 +97,7 @@ public class ContextFilter implements Filter {
String body =
request.getReader().lines().collect(Collectors.joining());
if (body.contains("</serializable>")) {
- Debug.logError("Content not authorised for security reason",
MODULE); // Cf. OFBIZ-12332
+ Debug.logError("Content not authorised for security reason",
module); // Cf. OFBIZ-12332
return;
}
@@ -142,7 +142,7 @@ public class ContextFilter implements Filter {
if(UtilValidate.isNotEmpty(tenantDomainName)) {
tenantId = tenantDomainName.getString("tenantId");
}
-
+
if(UtilValidate.isEmpty(tenantId)) {
tenantId = (String)
httpRequest.getAttribute("userTenantId");
}
@@ -181,14 +181,14 @@ public class ContextFilter implements Filter {
request.setAttribute("delegator", delegator);
request.setAttribute("dispatcher", dispatcher);
request.setAttribute("security", security);
-
+
request.setAttribute("userTenantId", tenantId);
}
- // NOTE DEJ20101130: do NOT always put the delegator name in
the user's session because the user may
- // have logged in and specified a tenant, and even if no
Tenant record with a matching domainName field
- // is found this will change the user's delegator back to the
base one instead of the one for the
- // tenant specified on login
+ // NOTE DEJ20101130: do NOT always put the delegator name in
the user's session because the user may
+ // have logged in and specified a tenant, and even if no
Tenant record with a matching domainName field
+ // is found this will change the user's delegator back to the
base one instead of the one for the
+ // tenant specified on login
// httpRequest.getSession().setAttribute("delegatorName",
delegator.getDelegatorName());
} catch (GenericEntityException e) {
Debug.logWarning(e, "Unable to get Tenant", module);
