This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new d053f0d1e4 Improved: Add permission check for ProgramExport and
EntitySQLProcessor (OFBIZ-13128)
d053f0d1e4 is described below
commit d053f0d1e4da245c7f8e4c52cf486e3349fcc9bb
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Aug 10 11:03:23 2024 +0200
Improved: Add permission check for ProgramExport and EntitySQLProcessor
(OFBIZ-13128)
Removes the call to SecuredUpload::isValidText now useless. It was anyway
incomplete because I forgot that Unicode decoding (UTF-8) is only done in
SecuredUpload::isValidTextFile
Conflicts handled by hand
---
framework/webtools/groovyScripts/entity/ProgramExport.groovy | 6 ------
1 file changed, 6 deletions(-)
diff --git a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
index 9ac97d64c5..67b3841e88 100644
--- a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
+++ b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
@@ -77,12 +77,6 @@ def shell = new GroovyShell(loader, binding, configuration)
if (UtilValidate.isNotEmpty(groovyProgram)) {
try {
- // Check if a webshell is not uploaded but allow "import"
- if (!SecuredUpload.isValidText(groovyProgram, ["import"])) {
- logError("================== Not executed for security reason
==================")
- request.setAttribute("_ERROR_MESSAGE_", "Not executed for security
reason")
- return
- }
shell.parse(groovyProgram)
shell.evaluate(groovyProgram)
recordValues = shell.getVariable("recordValues")
