[ofbiz-framework] branch release18.12 updated: Improved: Prevent Freemarker interpolation in fields (OFBIZ-12594)

Mon, 04 Apr 2022 00:33:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 3797e60375 Improved: Prevent Freemarker interpolation in fields 
(OFBIZ-12594)
3797e60375 is described below

commit 3797e6037569bb402f8ef84c41e6978bc54bafb5
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Apr 4 08:04:39 2022 +0200

    Improved: Prevent Freemarker interpolation in fields (OFBIZ-12594)
    
    OFBIZ_12587 is a definitive solution to prevent any kind of Freemarker 
exploits.
    But it's hard to realise because OFBiz exposes objects, like attributes 
from the
    Servlet scopes. So in the meantime preventing Freemarker interpolation in 
fields
    is a pragmatic solution.
    
    This is an improvement but needs to be backported because it kinda affects
    security
    
    Conflicts handled by hand
      SeoContextFilter.java
      ControlFilter.java
    
    When I worked with Mathieu I did not measure how it will be hard sometimes 
to
    backport later :/
    
    Also due to checkstyle module to MODULE change is always a pain in the ass 
:/
---
 .../security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
index 046b67beba..7d16326877 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
@@ -231,7 +231,7 @@ public final class SecurityUtil {
                 || stringToCheck.contains("%5B%23") || 
stringToCheck.contains("[#")) { // not used OOTB in OFBiz, but possible
 
             Debug.logError("===== Not saved for security reason, strings '${', 
'<#', '#{', '[=' or '[#' not accepted in fields! =====",
-                    MODULE);
+                    module);
             resp.sendError(HttpServletResponse.SC_FORBIDDEN,
                     "Not saved for security reason, strings '${', '<#', '#{', 
'[=' or '[#' not accepted in fields!");
             return true;

Reply via email to