(ofbiz-framework) branch release24.09 updated: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Fri, 08 Nov 2024 07:43:58 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 80652c053c Improved: Prevent URL parameters manipulation (OFBIZ-13147)
80652c053c is described below

commit 80652c053c5b505c2a30bf1ae3cbfe492508e551
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Nov 8 12:02:20 2024 +0100

    Improved: Prevent URL parameters manipulation (OFBIZ-13147)
    
    With previous commits I put changes tests in ControlFilter.java that are no
    longer needed. So this removes the whole block. A better solution will be 
tested
    in trunk and hopefully backported later.
    
    Conflicts handled by hand
---
 .../org/apache/ofbiz/webapp/control/ControlFilter.java     | 14 --------------
 1 file changed, 14 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 8c9ebb3810..35649a4218 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -21,7 +21,6 @@ package org.apache.ofbiz.webapp.control;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.URLDecoder;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
@@ -39,9 +38,7 @@ import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.validator.routines.UrlValidator;
 import org.apache.logging.log4j.ThreadContext;
 import org.apache.ofbiz.base.util.Debug;
-import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.entity.GenericValue;
-import org.apache.ofbiz.security.SecuredUpload;
 import org.apache.ofbiz.security.SecurityUtil;
 
 
@@ -169,17 +166,6 @@ public class ControlFilter extends HttpFilter {
             }
 
             // Reject wrong URLs
-            String queryString = req.getQueryString();
-            if (queryString != null) {
-                queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || !SecuredUpload.isValidText(queryString, 
Collections.emptyList())
-                        && isSolrTest()) {
-                    Debug.logError("For security reason this URL is not 
accepted", MODULE);
-                    throw new RuntimeException("For security reason this URL 
is not accepted");
-                }
-            }
-
             String initialURI = req.getRequestURI();
             if (initialURI != null) { // Allow tests with Mockito. 
ControlFilterTests send null
                 try {

Reply via email to