(ofbiz-framework) branch release18.12 updated: Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)

Mon, 24 Feb 2025 02:31:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 34ff37681b Fixed: [codeQL]  Resolving specific Java issues 
(OFBIZ-12925)
34ff37681b is described below

commit 34ff37681bce0dd57a7328bc9a41236bd4b3543e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Feb 24 11:24:25 2025 +0100

    Fixed: [codeQL]  Resolving specific Java issues (OFBIZ-12925)
    
    Fixes the case when reading a local XML file.
    
    Conflicts handled by hand
---
 framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
index 6a235e2feb..5426694a2e 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
@@ -91,7 +91,7 @@ public final class UtilXml {
     public static final String module = UtilXml.class.getName();
     private static final XStream xstream = createXStream();
     private UtilXml () {}
-    private final static List<String> hostHeadersAllowed = 
UtilMisc.getHostHeadersAllowed();
+    private static final List<String> HOSTHEADERSALLOWED = 
UtilMisc.getHostHeadersAllowed();
 
     private static XStream createXStream() {
         XStream xstream = new XStream();
@@ -405,7 +405,8 @@ public final class UtilXml {
     public static Document readXmlDocument(URL url, boolean validate, boolean 
withPosition)
             throws SAXException, ParserConfigurationException, 
java.io.IOException {
 
-        if (!hostHeadersAllowed.contains(url.getHost())) {
+        // url.getHost().isEmpty() when reading an XML file
+        if (!HOSTHEADERSALLOWED.contains(url.getHost()) && 
!url.getHost().isEmpty()) {
             Debug.logWarning("Domain " + url.getHost() + " not accepted to 
prevent host header injection."
                     + " You need to set host-headers-allowed property in 
security.properties file.", module);
             throw new IOException("Domain " + url.getHost() + " not accepted 
to prevent host header injection."

Reply via email to