This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new f5e55c4f86 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
f5e55c4f86 is described below
commit f5e55c4f86fc202742648dde17ff17ec135d838a
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Oct 24 20:35:39 2024 +0200
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
The "JavaScriptEnabled=Y" and "&wt=javabin" references are weaknesses.
I temporarily put them in ControlFilter::doFilter to allow things (demo and
integration tests) to work for my test (only possible on a site w. domain
IP),
ie not locally.
I think we can remove "JavaScriptEnabled=Y". I put it there because we use
it
in links at https://ofbiz.apache.org/ofbiz-demos.html. Maybe other places
where
it's easy to remove w/o side effects. It's anyway an user preference, not
mandatory in query string.
I needed "&wt=javabin" for the Solr tests to pass. Sometimes ago I already
faced
a such issue. And then put in place what's needed.
ControlFilter::isSolrTest is
the solution by generalising this usage.
Conflicts handled by hand
---
.../java/org/apache/ofbiz/webapp/control/ControlFilter.java | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 2a03dbe314..7dbb6c3b72 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -108,6 +108,10 @@ public class ControlFilter implements Filter {
}
}
+ private static boolean isSolrTest() {
+ return
!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
+ && null == System.getProperty("SolrDispatchFilter");
+ }
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
@@ -142,11 +146,9 @@ public class ControlFilter implements Filter {
String queryString = httpRequest.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
- // wt=javabin allows Solr tests, see
https://cwiki.apache.org/confluence/display/solr/javabin
if (UtilValidate.isUrl(queryString)
|| !SecuredUpload.isValidText(queryString,
Collections.emptyList())
- && !(queryString.contains("JavaScriptEnabled=Y")
- || queryString.contains("wt=javabin"))) {
+ && isSolrTest()) {
Debug.logError("For security reason this URL is not
accepted", module);
throw new RuntimeException("For security reason this URL
is not accepted");
}
@@ -173,9 +175,8 @@ public class ControlFilter implements Filter {
GenericValue userLogin = (GenericValue)
httpRequest.getSession().getAttribute("userLogin");
if (!LoginWorker.hasBasePermission(userLogin, httpRequest)) { //
Allows UEL and FlexibleString (OFBIZ-12602)
- if
(!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
- && null == System.getProperty("SolrDispatchFilter") //
Allows Solr tests
- &&
SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse,
requestUri)) {
+ if (isSolrTest() // Allows Solr tests
+ &&
SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse,
requestUri)) {
return;
}
}
