(ofbiz-framework) branch release24.09 updated: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Wed, 23 Oct 2024 08:36:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new ad9035e2e4 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
ad9035e2e4 is described below

commit ad9035e2e4cd625816c97e3d3f528d1b51f5ecfd
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Oct 23 16:48:20 2024 +0200

    Improved: Prevent URL parameters manipulation (OFBIZ-13147)
    
    Allows Solr tests to pass, so far so good...
---
 .../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java    | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index d7f8b5cd83..a4122fdcf2 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -170,9 +170,11 @@ public class ControlFilter extends HttpFilter {
             String queryString = req.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
+                // wt=javabin allows Solr tests, see 
https://cwiki.apache.org/confluence/display/solr/javabin
                 if (UtilValidate.isUrl(queryString)
-                        || (!SecuredUpload.isValidText(queryString, 
Collections.emptyList())
-                                && 
!queryString.contains("JavaScriptEnabled=Y"))) {
+                        || !SecuredUpload.isValidText(queryString, 
Collections.emptyList())
+                                && 
!(queryString.contains("JavaScriptEnabled=Y")
+                                        || 
queryString.contains("wt=javabin"))) {
                     Debug.logError("For security reason this URL is not 
accepted", MODULE);
                     throw new RuntimeException("For security reason this URL 
is not accepted");
                 }

Reply via email to