(ofbiz-framework) branch trunk updated: Improved: Add permission check for ProgramExport and EntitySQLProcessor (OFBIZ-13128)

Sat, 10 Aug 2024 02:10:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 75446f712f Improved: Add permission check for ProgramExport and 
EntitySQLProcessor (OFBIZ-13128)
75446f712f is described below

commit 75446f712f1f962cdabdfd63a1851c5e1a6bc8af
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Aug 10 11:03:23 2024 +0200

    Improved: Add permission check for ProgramExport and EntitySQLProcessor 
(OFBIZ-13128)
    
    Removes the call to SecuredUpload::isValidText now useless. It was anyway
    incomplete because I forgot that Unicode decoding (UTF-8) is only done in
    SecuredUpload::isValidTextFile
---
 .../groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy   | 7 -------
 1 file changed, 7 deletions(-)

diff --git 
a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy
 
b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy
index 388117005c..46d24f0620 100644
--- 
a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy
+++ 
b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy
@@ -19,7 +19,6 @@
 package org.apache.ofbiz.webtools.entity
 
 import org.apache.ofbiz.entity.GenericValue
-import org.apache.ofbiz.security.SecuredUpload
 import org.codehaus.groovy.control.CompilerConfiguration
 import org.codehaus.groovy.control.MultipleCompilationErrorsException
 import org.codehaus.groovy.control.customizers.ImportCustomizer
@@ -83,12 +82,6 @@ GroovyShell shell = new GroovyShell(loader, binding, 
configuration)
 /* codenarc-disable ReturnNullFromCatchBlock */
 if (groovyProgram) {
     try {
-        // Check if a webshell is not uploaded but allow "import"
-        if (!SecuredUpload.isValidText(groovyProgram, ['import'])) {
-            logError('================== Not executed for security reason 
==================')
-            request.setAttribute('_ERROR_MESSAGE_', 'Not executed for security 
reason')
-            return
-        }
         shell.parse(groovyProgram)
         shell.evaluate(groovyProgram)
         recordValues = shell.getVariable('recordValues')

Reply via email to