This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 58ed838b4a Improved: Prevent URL parameters manipulation (OFBIZ-13147)
58ed838b4a is described below
commit 58ed838b4a0816555f928f4b453509b18082708b
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Oct 23 14:22:39 2024 +0200
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Allows JavaScriptEnabled=Y to pass.
---
.../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 73b3546810..d7f8b5cd83 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -170,7 +170,9 @@ public class ControlFilter extends HttpFilter {
String queryString = req.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
- if (UtilValidate.isUrl(queryString) ||
!SecuredUpload.isValidText(queryString, Collections.emptyList())) {
+ if (UtilValidate.isUrl(queryString)
+ || (!SecuredUpload.isValidText(queryString,
Collections.emptyList())
+ &&
!queryString.contains("JavaScriptEnabled=Y"))) {
Debug.logError("For security reason this URL is not
accepted", MODULE);
throw new RuntimeException("For security reason this URL
is not accepted");
}
