This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 89cf6bd5e4 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
89cf6bd5e4 is described below
commit 89cf6bd5e4f17b7ddd1512086aa58fbf17f3f763
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Nov 20 12:07:45 2024 +0100
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
We need only 1 allowedToken
Conflict handled by hand
---
framework/security/config/security.properties | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index b939a5667e..481cd17678 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -279,7 +279,7 @@
deniedWebShellTokens=$SHA$OFBiz$c_93W08vqLMlJHjOZ7_A6Wcaenw,$SHA$OFBiz$SigPYIfwa
#-- SHA-1 versions of tokens containing (as String) at least one
deniedWebShellTokens
#-- This is notably used to allow special values in query parameters.
#-- If you add a token beware that it does not content ",". It's the separator.
-allowedTokens=$SHA$OFBiz$EP-l2t4A_60cRYYnEqEaSiDjfrs,$SHA$OFBiz$JG1RWjLnFzQOpNRUqllybbbfyOE
+allowedTokens=$SHA$OFBiz$488OJhFI6NUQlvuqRVFHq6_KN8w
allowStringConcatenationInUploadedFiles=false
