[ofbiz-framework] branch trunk updated: Fixed: XML Import fails due to security check (OFBIZ-12602)

Wed, 20 Apr 2022 05:17:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 3de52be907 Fixed: XML Import fails due to security check (OFBIZ-12602)
3de52be907 is described below

commit 3de52be907efa7824aef21416f360ec6d1dc5f58
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Apr 20 13:56:25 2022 +0200

    Fixed: XML Import fails due to security check (OFBIZ-12602)
    
    When importing an entity with "${" in for at least an element it's rejected
    because of the security check done to protect from Freemarker unauth attacks
    (see OFBIZ-12594).
    
    As suggested by Ingo, allowing users with appropriate permissions seems an
    usable solution. We still need to define the "appropriate permissions".
    We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add
    others later if they ever come.
    
    Thanks: Ingo Wolfmayr for report and suggestion
---
 .../java/org/apache/ofbiz/webapp/control/ControlFilter.java   | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index b0e57181a2..0a892de606 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -149,11 +149,14 @@ public class ControlFilter extends HttpFilter {
             String uriWithContext = req.getRequestURI();
             String uri = uriWithContext.substring(context.length());
 
+            GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
 
-            if 
(!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
-                    && null == System.getProperty("SolrDispatchFilter") // 
Allows Solr tests
-                    && SecurityUtil.containsFreemarkerInterpolation(req, resp, 
uri)) {
-                return;
+            if (!LoginWorker.hasBasePermission(userLogin, req)) { // Allows 
UEL and FlexibleString (OFBIZ-12602)
+                if 
(!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
+                        && null == System.getProperty("SolrDispatchFilter") // 
Allows Solr tests
+                        && SecurityUtil.containsFreemarkerInterpolation(req, 
resp, uri)) {
+                    return;
+                }
             }
 
             // Check if the requested URI is allowed.

Reply via email to