(ofbiz-framework) branch release24.09 updated: Fixed: [codeQL] Resolving specific Java issues (OFBIZ-12925)

Mon, 24 Feb 2025 02:31:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 3ee6033b31 Fixed: [codeQL]  Resolving specific Java issues 
(OFBIZ-12925)
3ee6033b31 is described below

commit 3ee6033b310133ec1f8ccbc2f26578321321b941
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Feb 24 11:24:25 2025 +0100

    Fixed: [codeQL]  Resolving specific Java issues (OFBIZ-12925)
    
    Fixes the case when reading a local XML file.
    
    Conflicts handled by hand
---
 framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
index b0e6d5c1d4..5da1aa3627 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
@@ -87,7 +87,7 @@ public final class UtilXml {
     private static final String MODULE = UtilXml.class.getName();
     private static final XStream X_STREAM = createXStream();
     private UtilXml() { }
-    private final static List<String> hostHeadersAllowed = 
UtilMisc.getHostHeadersAllowed();
+    private static final List<String> HOSTHEADERSALLOWED = 
UtilMisc.getHostHeadersAllowed();
 
     private static XStream createXStream() {
         XStream xstream = new XStream();
@@ -397,7 +397,8 @@ public final class UtilXml {
     public static Document readXmlDocument(URL url, boolean validate, boolean 
withPosition)
             throws SAXException, ParserConfigurationException, 
java.io.IOException {
 
-        if (!hostHeadersAllowed.contains(url.getHost())) {
+        // url.getHost().isEmpty() when reading an XML file
+        if (!HOSTHEADERSALLOWED.contains(url.getHost()) && 
!url.getHost().isEmpty()) {
             Debug.logWarning("Domain " + url.getHost() + " not accepted to 
prevent host header injection."
                     + " You need to set host-headers-allowed property in 
security.properties file.", MODULE);
             throw new IOException("Domain " + url.getHost() + " not accepted 
to prevent host header injection."

Reply via email to