This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 664a8fefb7 Fixed: Prevent URL parameters manipulation (OFBIZ-13147)
664a8fefb7 is described below

commit 664a8fefb7ace18c5e6e2defca049e6503a0694e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Oct 10 08:56:52 2024 +0200

    Fixed: Prevent URL parameters manipulation (OFBIZ-13147)
    
    Solution: Reject URLs with an URL in query string
---
 .../org/apache/ofbiz/webapp/control/ControlFilter.java    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 30dc49ef7e..9aa1734515 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -21,6 +21,7 @@ package org.apache.ofbiz.webapp.control;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URLDecoder;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
@@ -38,9 +39,13 @@ import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.validator.routines.UrlValidator;
 import org.apache.logging.log4j.ThreadContext;
 import org.apache.ofbiz.base.util.Debug;
+import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.entity.GenericValue;
 import org.apache.ofbiz.security.SecurityUtil;
 
+
+
+
 /**
  * A Filter used to specify an allowlist of allowed paths to the OFBiz 
application.
  * Requests that do not match any of the paths listed in allowedPaths are 
redirected to redirectPath, or an error code
@@ -159,7 +164,17 @@ public class ControlFilter extends HttpFilter {
                     return;
                 }
             }
+
             // Reject wrong URLs
+            String queryString = req.getQueryString();
+            if (queryString != null) {
+                queryString = URLDecoder.decode(queryString, "UTF-8");
+                if (UtilValidate.isUrl(queryString)) {
+                    Debug.logError("For security reason this URL is not 
accepted", MODULE);
+                    throw new RuntimeException("For security reason this URL 
is not accepted");
+                }
+            }
+
             String initialURI = req.getRequestURI();
             if (initialURI != null) { // Allow tests with Mockito. 
ControlFilterTests send null
                 try {

Reply via email to