(ofbiz-framework) 03/03: Fixed: Logout may create a "HTTP Status 500 - Internal Server Error" (OFBIZ-13136)

Sun, 08 Sep 2024 08:05:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit ff72e555154eadc0227e45be3fc2ac5e40cb7736
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Sep 8 17:01:48 2024 +0200

    Fixed: Logout may create a "HTTP Status 500 - Internal Server Error" 
(OFBIZ-13136)
    
    Using <tracking-mode>COOKIE</tracking-mode> did not work.
    A workaround is to check we don't need to handle the CVE-2024-32113, 
bypassing
    by using
      if 
(!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
---
 .../apache/ofbiz/webapp/control/ControlFilter.java | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 541cf7e91a..dc02f763f1 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -134,17 +134,19 @@ public class ControlFilter implements Filter {
             String requestUri = 
httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
 
             // Reject wrong URLs
-            try {
-                String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString())
-                        .normalize().toString()
-                        .replaceAll(";", "")
-                        .replaceAll("(?i)%2e", "");
-                if (!((HttpServletRequest) 
request).getRequestURL().toString().equals(url)) {
-                    Debug.logError("For security reason this URL is not 
accepted", module);
-                    throw new RuntimeException("For security reason this URL 
is not accepted");
+            if 
(!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
+                try {
+                    String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString())
+                            .normalize().toString()
+                            .replaceAll(";", "")
+                            .replaceAll("(?i)%2e", "");
+                    if (!((HttpServletRequest) 
request).getRequestURL().toString().equals(url)) {
+                        Debug.logError("For security reason this URL is not 
accepted", module);
+                        throw new RuntimeException("For security reason this 
URL is not accepted");
+                    }
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
                 }
-            } catch (URISyntaxException e) {
-                throw new RuntimeException(e);
             }
 
             int offset = requestUri.indexOf("/", 1);

Reply via email to