(ofbiz-framework) branch release24.09 updated: Improved: Refactor ControlFilter class without functional changes (OFBIZ-13213)

Fri, 28 Feb 2025 06:55:04 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new cd2bd359c1 Improved: Refactor ControlFilter class without functional 
changes (OFBIZ-13213)
cd2bd359c1 is described below

commit cd2bd359c1c24f067caf10da686b75bb3d090461
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 28 12:04:52 2025 +0100

    Improved: Refactor ControlFilter class without functional changes 
(OFBIZ-13213)
    
    Better groups the functionalities and comment them for an easier readability
    
    Conflict handled by hand
---
 .../apache/ofbiz/webapp/control/ControlFilter.java | 23 +++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 4ccd968f54..083c77f1b4 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -182,14 +182,21 @@ public class ControlFilter extends HttpFilter {
             String uriWithContext = 
StringEscapeUtils.unescapeHtml4(URLDecoder.decode(req.getRequestURI(), 
"UTF-8"));
             String uri = uriWithContext.substring(context.length());
 
+
+            //// Block with several steps for rejecting wrong URLs, allowing 
specific ones
+
+            // Allows UEL and FlexibleString (OFBIZ-12602). Also allows 
SolrTest to pass. No need to check these URLs
             GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
-            if (!LoginWorker.hasBasePermission(userLogin, req)) { // Allows 
UEL and FlexibleString (OFBIZ-12602)
-                if (isSolrTest() && 
SecuredFreemarker.containsFreemarkerInterpolation(req, resp, uri)) {
-                    return;
-                }
+            if (!LoginWorker.hasBasePermission(userLogin, req) || 
isSolrTest()) {
+                return;
             }
 
-            // Reject wrong URLs
+            // Reject Freemarker interpolation in URL
+            if (SecuredFreemarker.containsFreemarkerInterpolation(req, resp, 
uri)) {
+                return;
+            }
+
+            // Reject insecure URLs
             String queryString = null;
             try {
                 queryString = new URI(uriWithContext).getQuery();
@@ -198,12 +205,10 @@ public class ControlFilter extends HttpFilter {
                 Debug.logError("Weird URI: " + e, MODULE);
                 throw new RuntimeException(e);
             }
-
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || 
!SecuredUpload.isValidText(queryString.toLowerCase(), ALLOWEDTOKENS, true)
-                                && isSolrTest()) {
+                if (UtilValidate.isUrlInString(queryString)
+                        || 
!SecuredUpload.isValidText(queryString.toLowerCase(), ALLOWEDTOKENS, true)) {
                     Debug.logError("For security reason this URL is not 
accepted", MODULE);
                     throw new RuntimeException("For security reason this URL 
is not accepted");
                 }

Reply via email to