(ofbiz-framework) branch release18.12 updated: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Wed, 23 Oct 2024 05:23:46 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 7c986a6325 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
7c986a6325 is described below

commit 7c986a63258f1fff1268c65e13699f977c85c635
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Oct 23 13:01:18 2024 +0200

    Improved: Prevent URL parameters manipulation (OFBIZ-13147)
    
    I found that java.util.Base64 is not easy to use. Hopefully putting base64 
in
    deniedWebShellTokens should be enough
    
    Conflicts handled by hand
---
 .../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 93de6914af..26598de0c3 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -22,7 +22,6 @@ import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -143,12 +142,8 @@ public class ControlFilter implements Filter {
             String queryString = httpRequest.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || !SecuredUpload.isValidText(queryString, 
Collections.emptyList())
-                        || 
!SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(), 
Collections.emptyList())
-                        || 
!SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(),
 Collections.emptyList())
-                        || 
!SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(),
 Collections.emptyList())) { // ...
-                    Debug.logError("For security reason this URL is not 
accepted", module);
+                if (UtilValidate.isUrl(queryString) || 
!SecuredUpload.isValidText(queryString, Collections.emptyList())) {
+                    Debug.logError("For security reason this URL is not 
accepted", MODULE);
                     throw new RuntimeException("For security reason this URL 
is not accepted");
                 }
             }

Reply via email to