This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release24.09 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push: new 664a8fefb7 Fixed: Prevent URL parameters manipulation (OFBIZ-13147) 664a8fefb7 is described below commit 664a8fefb7ace18c5e6e2defca049e6503a0694e Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Thu Oct 10 08:56:52 2024 +0200 Fixed: Prevent URL parameters manipulation (OFBIZ-13147) Solution: Reject URLs with an URL in query string --- .../org/apache/ofbiz/webapp/control/ControlFilter.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java index 30dc49ef7e..9aa1734515 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java @@ -21,6 +21,7 @@ package org.apache.ofbiz.webapp.control; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; +import java.net.URLDecoder; import java.util.Arrays; import java.util.Collections; import java.util.Set; @@ -38,9 +39,13 @@ import org.apache.commons.lang.BooleanUtils; import org.apache.commons.validator.routines.UrlValidator; import org.apache.logging.log4j.ThreadContext; import org.apache.ofbiz.base.util.Debug; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.entity.GenericValue; import org.apache.ofbiz.security.SecurityUtil; + + + /** * A Filter used to specify an allowlist of allowed paths to the OFBiz application. * Requests that do not match any of the paths listed in allowedPaths are redirected to redirectPath, or an error code @@ -159,7 +164,17 @@ public class ControlFilter extends HttpFilter { return; } } + // Reject wrong URLs + String queryString = req.getQueryString(); + if (queryString != null) { + queryString = URLDecoder.decode(queryString, "UTF-8"); + if (UtilValidate.isUrl(queryString)) { + Debug.logError("For security reason this URL is not accepted", MODULE); + throw new RuntimeException("For security reason this URL is not accepted"); + } + } + String initialURI = req.getRequestURI(); if (initialURI != null) { // Allow tests with Mockito. ControlFilterTests send null try {