This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new b3b87d98dd Fixed: Reject wrong URLs (OFBIZ-13006)
b3b87d98dd is described below
commit b3b87d98ddb1997965f23e2c8356243dbf81dec3
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Apr 11 14:49:34 2024 +0200
Fixed: Reject wrong URLs (OFBIZ-13006)
Some URLs need to be rejected before they create problems
---
.../java/org/apache/ofbiz/webapp/control/ControlFilter.java | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index f9e0bcea69..c77bd57817 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -134,6 +134,16 @@ public class ControlFilter implements Filter {
// get the request URI without the webapp mount point
String requestUri =
httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
+ // Reject wrong URLs
+ try {
+ String url = new
URI(req.getRequestURL().toString()).normalize().toString();
+ if (!req.getRequestURL().toString().equals(url)) {
+ throw new RuntimeException();
+ }
+ } catch (URISyntaxException e) {
+ throw new RuntimeException(e);
+ }
+
// normalize to remove ".." special name usage to bypass webapp
filter
try {
requestUri = new URI(requestUri).normalize().toString();
