(ofbiz-framework) branch release24.09 updated: Improved: Check parameters passed in URLs (OFBIZ-13295)

Sat, 18 Oct 2025 00:21:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 4c624298a6 Improved: Check parameters passed in URLs (OFBIZ-13295)
4c624298a6 is described below

commit 4c624298a643453d20b8972bc64082bd61b39932
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat Oct 4 11:03:20 2025 +0200

    Improved: Check parameters passed in URLs (OFBIZ-13295)
    
    Prevents possible stream exploitation
---
 .../apache/ofbiz/webapp/control/ControlFilter.java | 31 ++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index ad248ec544..c7db00a6fc 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -25,7 +25,9 @@ import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -165,6 +167,35 @@ public class ControlFilter extends HttpFilter {
         String context = req.getContextPath();
         HttpSession session = req.getSession();
 
+        // Prevents stream exploitation
+        Map<String, Object> parameters = UtilHttp.getParameterMap(req);
+        boolean reject = false;
+        if (!parameters.isEmpty()) {
+            for (String key : parameters.keySet()) {
+                Object object = parameters.get(key);
+                if (object.getClass().equals(String.class)) {
+                    String val = (String) object;
+                    if (val.contains("<")) {
+                        reject = true;
+                    }
+                } else {
+                    @SuppressWarnings("unchecked")
+                    LinkedList<String> vals = (LinkedList<String>) 
parameters.get(key);
+                    for (String aVal : vals) {
+                        if (aVal.contains("<")) {
+                            reject = true;
+                        }
+                    }
+                }
+            }
+            if (reject) {
+                Debug.logError("For security reason this URL is not accepted", 
MODULE);
+                throw new RuntimeException("For security reason this URL is 
not accepted");
+            }
+        }
+
+
+
         // Check if we are told to redirect everything.
         if (redirectAll) {
             // little trick here so we don't loop on ourselves

Reply via email to