This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 474e806816 Improved: Prevent special encoded characters sequences in
URLs (OFBIZ-13092)
474e806816 is described below
commit 474e806816e4a1d0c16667972e5044ce2ded9d13
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue May 21 05:08:34 2024 +0200
Improved: Prevent special encoded characters sequences in URLs (OFBIZ-13092)
Removes now redundant calls to URI::normalize in ControlFilter and
LoginWorker
classes
Also removes few trailing blanks when needed (automatically done by Eclipse)
---
.../apache/ofbiz/webapp/control/ControlFilter.java | 7 ----
.../apache/ofbiz/webapp/control/LoginWorker.java | 39 +++++++++-------------
2 files changed, 15 insertions(+), 31 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 7c110155dd..541cf7e91a 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -147,13 +147,6 @@ public class ControlFilter implements Filter {
throw new RuntimeException(e);
}
- // normalize to remove ".." special name usage to bypass webapp
filter
- try {
- requestUri = new URI(requestUri).normalize().toString();
- } catch (URISyntaxException e) {
- throw new RuntimeException(e);
- }
-
int offset = requestUri.indexOf("/", 1);
if (offset == -1) {
offset = requestUri.length();
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
index 23209ff375..c9cf786eeb 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
@@ -21,8 +21,6 @@ package org.apache.ofbiz.webapp.control;
import static org.apache.ofbiz.base.util.UtilGenerics.checkMap;
import java.math.BigInteger;
-import java.net.URI;
-import java.net.URISyntaxException;
import java.security.cert.X509Certificate;
import java.sql.Timestamp;
import java.util.ArrayList;
@@ -392,12 +390,12 @@ public class LoginWorker {
*/
public static String login(HttpServletRequest request, HttpServletResponse
response) {
HttpSession session = request.getSession();
-
- // Prevent session fixation by making Tomcat generate a new jsessionId
(ultimately put in cookie).
- if (!session.isNew()) { // Only do when really signing in.
+
+ // Prevent session fixation by making Tomcat generate a new jsessionId
(ultimately put in cookie).
+ if (!session.isNew()) { // Only do when really signing in.
request.changeSessionId();
}
-
+
Delegator delegator = (Delegator) request.getAttribute("delegator");
String username = request.getParameter("USERNAME");
String password = request.getParameter("PASSWORD");
@@ -411,7 +409,7 @@ public class LoginWorker {
} catch (EntityCryptoException e1) {
Debug.logError(e1.getMessage(), module);
}
-
+
if(entityDeCrypto != null && "true".equals(forgotPwdFlag)) {
try {
Object decryptedPwd = entityDeCrypto.decrypt(keyValue,
ModelField.EncryptMethod.TRUE, password);
@@ -819,7 +817,7 @@ public class LoginWorker {
autoLoginSet(request, response);
return autoLoginCheck(request, response);
-
+
}
public static void doBasicLogin(GenericValue userLogin, HttpServletRequest
request) {
@@ -874,7 +872,7 @@ public class LoginWorker {
GenericValue userLogin = (GenericValue)
request.getSession().getAttribute("userLogin");
doBasicLogout(userLogin, request, response);
-
+
if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
return autoLoginCheck(request, response);
}
@@ -950,8 +948,8 @@ public class LoginWorker {
ServletContext context = request.getServletContext();
String applicationName = UtilHttp.getApplicationName(request);
WebappInfo webappInfo = ComponentConfig.getWebappInfo((String)
context.getAttribute("_serverId"), applicationName);
-
- if (userLogin != null &&
+
+ if (userLogin != null &&
((webappInfo != null && webappInfo.isAutologinCookieUsed())
|| webappInfo == null)) { // When using an empty mountpoint,
ie using root as mountpoint. Beware: works only for 1 webapp!
Cookie autoLoginCookie = new
Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId"));
@@ -974,7 +972,7 @@ public class LoginWorker {
HttpSession session = request.getSession();
GenericValue userLogin = (GenericValue)
session.getAttribute("userLogin");
String applicationName = UtilHttp.getApplicationName(request);
-
+
if (userLogin != null) {
Cookie securedLoginIdCookie = new
Cookie(getSecuredLoginIdCookieName(request),
userLogin.getString("userLoginId"));
securedLoginIdCookie.setMaxAge(-1);
@@ -993,7 +991,7 @@ public class LoginWorker {
protected static String getSecuredLoginIdCookieName(HttpServletRequest
request) {
return UtilHttp.getApplicationName(request) + ".securedLoginId";
}
-
+
public static String getAutoUserLoginId(HttpServletRequest request) {
String autoUserLoginId = null;
Cookie[] cookies = request.getCookies();
@@ -1010,7 +1008,7 @@ public class LoginWorker {
}
return autoUserLoginId;
}
-
+
public static String getSecuredUserLoginId(HttpServletRequest request) {
String securedUserLoginId = null;
Cookie[] cookies = request.getCookies();
@@ -1033,7 +1031,7 @@ public class LoginWorker {
public static String autoLoginCheck(HttpServletRequest request,
HttpServletResponse response) {
Delegator delegator = (Delegator) request.getAttribute("delegator");
HttpSession session = request.getSession();
-
+
GenericValue autoUserLogin = (GenericValue)
session.getAttribute("autoUserLogin");
if (autoUserLogin != null){
return "success";
@@ -1096,7 +1094,7 @@ public class LoginWorker {
}
return "success";
}
-
+
public static boolean isUserLoggedIn(HttpServletRequest request) {
HttpSession session = request.getSession();
GenericValue currentUserLogin = (GenericValue)
session.getAttribute("userLogin");
@@ -1202,7 +1200,7 @@ public class LoginWorker {
return "success";
}
-
+
// preprocessor method to login a user w/ client certificate see
security.properties to configure the pattern of CN
public static String check509CertLogin(HttpServletRequest request,
HttpServletResponse response) {
Delegator delegator = (Delegator) request.getAttribute("delegator");
@@ -1366,13 +1364,6 @@ public class LoginWorker {
if (UtilValidate.isEmpty(contextPath)) {
contextPath = "/";
}
-
- try {
- contextPath = new URI(contextPath).normalize().toString();
- } catch (URISyntaxException e) {
- throw new RuntimeException(e);
- }
-
ComponentConfig.WebappInfo info =
ComponentConfig.getWebAppInfo(serverId, contextPath);
if (info != null) {
return hasApplicationPermission(info, security, userLogin);
