This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit bc856f46f87435e986f98c75460a57c182e7e5d4
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon May 20 10:36:13 2024 +0200
Improved: Prevent special encoded characters sequences in URLs (OFBIZ-13092)
Removes no longer needed check in LoginWorker class. It's now handled
before by
ControlFilter class.
Fixes imported indentation from 18.12 in ControlFilter.java
---
.../org/apache/ofbiz/webapp/control/ControlFilter.java | 14 +++++++-------
.../java/org/apache/ofbiz/webapp/control/LoginWorker.java | 9 ---------
2 files changed, 7 insertions(+), 16 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 8ef02fad5c..30dc49ef7e 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -163,13 +163,13 @@ public class ControlFilter extends HttpFilter {
String initialURI = req.getRequestURI();
if (initialURI != null) { // Allow tests with Mockito.
ControlFilterTests send null
try {
- String uRIFiltered = new URI(initialURI)
- .normalize().toString()
- .replaceAll(";", "")
- .replaceAll("(?i)%2e", "");
- if (!initialURI.equals(uRIFiltered)) {
- Debug.logError("For security reason this URL is not
accepted", MODULE);
- throw new RuntimeException("For security reason this URL
is not accepted");
+ String uRIFiltered = new URI(initialURI)
+ .normalize().toString()
+ .replaceAll(";", "")
+ .replaceAll("(?i)%2e", "");
+ if (!initialURI.equals(uRIFiltered)) {
+ Debug.logError("For security reason this URL is not
accepted", MODULE);
+ throw new RuntimeException("For security reason this
URL is not accepted");
}
} catch (URISyntaxException e) {
throw new RuntimeException(e);
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
index 7cee010415..cd10879cf6 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
@@ -21,8 +21,6 @@ package org.apache.ofbiz.webapp.control;
import static org.apache.ofbiz.base.util.UtilGenerics.checkMap;
import java.math.BigInteger;
-import java.net.URI;
-import java.net.URISyntaxException;
import java.security.cert.X509Certificate;
import java.sql.Timestamp;
import java.util.ArrayList;
@@ -1374,13 +1372,6 @@ public final class LoginWorker {
if (UtilValidate.isEmpty(contextPath)) {
contextPath = "/";
}
-
- try {
- contextPath = new URI(contextPath).normalize().toString();
- } catch (URISyntaxException e) {
- throw new RuntimeException(e);
- }
-
ComponentConfig.WebappInfo info =
ComponentConfig.getWebAppInfo(serverId, contextPath);
if (info != null) {
return hasApplicationPermission(info, security, userLogin);
