(ofbiz-framework) branch release18.12 updated: Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFBIZ-13092)

Mon, 13 Jan 2025 09:40:41 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 959799bf03 Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading 
to RCE (OFBIZ-13092)
959799bf03 is described below

commit 959799bf039dd41c3ed854526a89868ed19b9832
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Jan 13 18:20:57 2025 +0100

    Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE 
(OFBIZ-13092)
    
    As reported by Leïla, <<if you perform a search on find party screen and 
try to
    sort by partyId, createdDate or else, you qill get this message.
    "For security reason this URL is not accepted"
    The problem was that the initialURI retrieved by the controlFilter still has
    semicolon in it. As the uRIFiltered is removed from its semicolon, the
    comparison failed and the error is returned.>>
    
    This was due to the use of URLDecoder::decode below but not on the line
    that is now fixed by this commit.
    I guess it extends to all such cases; ie URLs that use sorting and such,
    possibly using js at some point. I did not get further.
---
 .../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 4e9a35efb4..9776e64e5d 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -138,7 +138,7 @@ public class ControlFilter implements Filter {
         if (httpRequest.getAttribute(FORWARDED_FROM_SERVLET) == null && 
!allowedPaths.isEmpty()) {
             // check to make sure the requested url is allowed
             // get the request URI without the webapp mount point
-            String requestUri = 
httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
+            String requestUri = 
URLDecoder.decode(httpRequest.getRequestURI().substring(httpRequest.getContextPath().length()),
 "UTF-8");
 
             // Reject wrong URLs
             String queryString = httpRequest.getQueryString();

Reply via email to