(ofbiz-framework) branch release24.09 updated: Improved: Check parameters passed in URLs (OFBIZ-13295)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new e8ad44dc36 Improved: Check parameters passed in URLs (OFBIZ-13295)
e8ad44dc36 is described below

commit e8ad44dc364d6e68d107a851742814450f7ab590
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Oct 4 16:29:06 2025 +0200

    Improved: Check parameters passed in URLs (OFBIZ-13295)
    
    Contrary to trunk, 24.09 needs to check if isSolrTest() is running.
    I did not check why it works in trunk. I guess it's OK.
---
 .../apache/ofbiz/webapp/control/ControlFilter.java | 40 ++++++++++++----------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index c7db00a6fc..0cd5e94899 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -168,29 +168,31 @@ public class ControlFilter extends HttpFilter {
         HttpSession session = req.getSession();
 
         // Prevents stream exploitation
-        Map<String, Object> parameters = UtilHttp.getParameterMap(req);
-        boolean reject = false;
-        if (!parameters.isEmpty()) {
-            for (String key : parameters.keySet()) {
-                Object object = parameters.get(key);
-                if (object.getClass().equals(String.class)) {
-                    String val = (String) object;
-                    if (val.contains("<")) {
-                        reject = true;
-                    }
-                } else {
-                    @SuppressWarnings("unchecked")
-                    LinkedList<String> vals = (LinkedList<String>) 
parameters.get(key);
-                    for (String aVal : vals) {
-                        if (aVal.contains("<")) {
+        if (!isSolrTest()) {
+            Map<String, Object> parameters = UtilHttp.getParameterMap(req);
+            boolean reject = false;
+            if (!parameters.isEmpty()) {
+                for (String key : parameters.keySet()) {
+                    Object object = parameters.get(key);
+                    if (object.getClass().equals(String.class)) {
+                        String val = (String) object;
+                        if (val.contains("<")) {
                             reject = true;
                         }
+                    } else {
+                        @SuppressWarnings("unchecked")
+                        LinkedList<String> vals = (LinkedList<String>) 
parameters.get(key);
+                        for (String aVal : vals) {
+                            if (aVal.contains("<")) {
+                                reject = true;
+                            }
+                        }
                     }
                 }
-            }
-            if (reject) {
-                Debug.logError("For security reason this URL is not accepted", 
MODULE);
-                throw new RuntimeException("For security reason this URL is 
not accepted");
+                if (reject) {
+                    Debug.logError("For security reason this URL is not 
accepted", MODULE);
+                    throw new RuntimeException("For security reason this URL 
is not accepted");
+                }
             }
         }