(ofbiz-framework) branch release24.09 updated: Improved: Check parameters passed in URLs (OFBIZ-13295)

Sun, 12 Oct 2025 12:47:05 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new aa0db808a6 Improved: Check parameters passed in URLs (OFBIZ-13295)
aa0db808a6 is described below

commit aa0db808a6613ed619e78ad54337b720f64a9730
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sun Oct 12 07:47:59 2025 +0200

    Improved: Check parameters passed in URLs (OFBIZ-13295)
    
    Better completely bypass "Prevents stream exploitation" block in
    ControlFilter.java
    
    Also better uses the token bypassPreventsStreamExploitation in
    ControlFilterTests
    
    Conflicts handled by hand in ControlFilter.java
---
 .../org/apache/ofbiz/webapp/control/ControlFilter.java  | 17 ++++++++---------
 .../apache/ofbiz/webapp/control/ControlFilterTests.java | 16 ++++++++--------
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 810a4c76b3..cdadf65a9a 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -174,11 +174,10 @@ public class ControlFilter extends HttpFilter {
         String context = req.getContextPath();
         HttpSession session = req.getSession();
 
-        // Prevents stream exploitation
-        if (!isSolrTest()) {
-            if (!isControlFilterTests()) {
-                UrlServletHelper.setRequestAttributes(req, null, 
req.getServletContext());
-            }
+        if (!(isSolrTest() || isControlFilterTests())) {
+            // Prevents stream exploitation
+            UrlServletHelper.setRequestAttributes(req, null, 
req.getServletContext());
+            UrlServletHelper.setRequestAttributes(req, null, 
req.getServletContext());
             Map<String, Object> parameters = UtilHttp.getParameterMap(req);
             boolean reject = false;
             if (!parameters.isEmpty()) {
@@ -197,10 +196,10 @@ public class ControlFilter extends HttpFilter {
                             reject = true;
                         }
                     }
-                    if (reject) {
-                        Debug.logError("For security reason this URL is not 
accepted", MODULE);
-                        throw new RuntimeException("For security reason this 
URL is not accepted");
-                    }
+                }
+                if (reject) {
+                    Debug.logError("For security reason this URL is not 
accepted", MODULE);
+                    throw new RuntimeException("For security reason this URL 
is not accepted");
                 }
             }
         }
diff --git 
a/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
 
b/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
index c437b6175d..b60b7114e4 100644
--- 
a/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
+++ 
b/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
@@ -58,7 +58,7 @@ public class ControlFilterTests {
 
     @Test
     public void filterWithExactAllowedPath() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
         when(req.getRequestURI()).thenReturn("/servlet/bar");
@@ -72,7 +72,7 @@ public class ControlFilterTests {
 
     @Test
     public void filterWithAllowedSubPath() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
         when(req.getRequestURI()).thenReturn("/servlet/bar/baz");
@@ -86,7 +86,7 @@ public class ControlFilterTests {
 
     @Test
     public void filterWithRedirection() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("allowedPaths")).thenReturn("/bar:/baz");
         when(req.getRequestURI()).thenReturn("/missing/path");
@@ -99,7 +99,7 @@ public class ControlFilterTests {
 
     @Test
     public void filterWithURIredirection() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         
when(config.getInitParameter("redirectPath")).thenReturn("http://example.org/foo";);
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
         when(req.getRequestURI()).thenReturn("/baz");
@@ -112,7 +112,7 @@ public class ControlFilterTests {
 
     @Test
     public void bailsOutWithVariousErrorCodes() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
         when(req.getRequestURI()).thenReturn("/baz");
 
@@ -143,7 +143,7 @@ public class ControlFilterTests {
 
     @Test
     public void redirectAllAllowed() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/bar");
         when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -157,7 +157,7 @@ public class ControlFilterTests {
 
     @Test
     public void redirectAllNotAllowed() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/bar");
         when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -171,7 +171,7 @@ public class ControlFilterTests {
 
     @Test
     public void redirectAllRecursive() throws Exception {
-        System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+        System.setProperty("ControlFilterTests", 
"bypassPreventsStreamExploitation");
         when(config.getInitParameter("redirectPath")).thenReturn("/foo");
         when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
         when(config.getInitParameter("allowedPaths")).thenReturn("/foo");

Reply via email to