This is an automated email from the ASF dual-hosted git repository.
pgil pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new 123216484f Fixed: Fix infinite DOS redirection under windows
environment
123216484f is described below
commit 123216484f6ba3251336776a0716f6fe0fee7ec3
Author: Gil Portenseigne <gil.portensei...@nereide.fr>
AuthorDate: Mon Jan 8 10:19:41 2024 +0100
Fixed: Fix infinite DOS redirection under windows environment
Precedent fix that prevent a user to bypass webapp filter rules using
`..` notation used wrong class to normalize URI.
Paths, under windows system, replace `/` by `\`, that are not allowed by
filter rules, redirecting to `\main` endlessly.
---
.../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index df8960b9c9..28cfff2a00 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -19,7 +19,8 @@
package org.apache.ofbiz.webapp.control;
import java.io.IOException;
-import java.nio.file.Paths;
+import java.net.URI;
+import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
@@ -161,7 +162,11 @@ public class ControlFilter extends HttpFilter {
}
// normalize to remove ".." special name usage to bypass webapp
filter
- uri = Paths.get(uri).normalize().toString();
+ try {
+ uri = new URI(uri).normalize().toString();
+ } catch (URISyntaxException e) {
+ throw new RuntimeException(e);
+ }
// Check if the requested URI is allowed.
if (allowedPaths.stream().anyMatch(uri::startsWith)) {
