(ofbiz-framework) 02/02: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Wed, 23 Oct 2024 04:46:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 68156f75a35d9ec30714699be32e0ad407aff278
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Oct 23 13:01:18 2024 +0200

    Improved: Prevent URL parameters manipulation (OFBIZ-13147)
    
    I found that java.util.Base64 is not easy to use. Hopefully putting base64 
in
    deniedWebShellTokens should be enough
---
 .../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java   | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 97fc721cc1..73b3546810 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -23,7 +23,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.util.Arrays;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -171,11 +170,7 @@ public class ControlFilter extends HttpFilter {
             String queryString = req.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || !SecuredUpload.isValidText(queryString, 
Collections.emptyList())
-                        || 
!SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(), 
Collections.emptyList())
-                        || 
!SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(),
 Collections.emptyList())
-                        || 
!SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(),
 Collections.emptyList())) { // ...
+                if (UtilValidate.isUrl(queryString) || 
!SecuredUpload.isValidText(queryString, Collections.emptyList())) {
                     Debug.logError("For security reason this URL is not 
accepted", MODULE);
                     throw new RuntimeException("For security reason this URL 
is not accepted");
                 }

Reply via email to