(ofbiz-framework) 01/02: Revert "Improved: Path traversal leading to RCE (OFBIZ-13092)"

Thu, 16 Jan 2025 07:12:32 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 449fd10cc906ec738a631b0ae35dbb449a7d3f39
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Jan 14 17:30:27 2025 +0100

    Revert "Improved: Path traversal leading to RCE (OFBIZ-13092)"
    
    This reverts commit 5f8bb71aae9b65f031478784374bab4326e57f1f.
---
 .../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index a8e3301ed7..ca8d2cca69 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -174,19 +174,20 @@ public class ControlFilter extends HttpFilter {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
                 if (UtilValidate.isUrlInString(queryString)
                         || 
!SecuredUpload.isValidText(queryString.toLowerCase(), 
SecuredUpload.getallowedTokens(), true)
-                                && isSolrTest()) {
+                        && isSolrTest()) {
                     Debug.logError("For security reason this URL is not 
accepted", MODULE);
                     throw new RuntimeException("For security reason this URL 
is not accepted");
                 }
             }
 
-            if (uriWithContext != null) { // Allow tests with Mockito. 
ControlFilterTests send null
+            String initialURI = req.getRequestURI();
+            if (initialURI != null) { // Allow tests with Mockito. 
ControlFilterTests send null
                 try {
-                    String uRIFiltered = new URI(uriWithContext)
+                    String uRIFiltered = new URI(initialURI)
                             .normalize().toString()
                             .replaceAll(";", "")
                             .replaceAll("(?i)%2e", "");
-                    if (!uriWithContext.equals(uRIFiltered)) {
+                    if (!initialURI.equals(uRIFiltered)) {
                         Debug.logError("For security reason this URL is not 
accepted", MODULE);
                         throw new RuntimeException("For security reason this 
URL is not accepted");
                     }

Reply via email to