This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 84143a41dd Improved: Check parameters passed in URLs (OFBIZ-13295)
84143a41dd is described below
commit 84143a41dd05a8dd10e36cbff56002fe6ff4311d
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sun Oct 12 07:47:59 2025 +0200
Improved: Check parameters passed in URLs (OFBIZ-13295)
Better completely bypass "Prevents stream exploitation" block in
ControlFilter.java
Also better uses the token bypassPreventsStreamExploitation in
ControlFilterTests
---
.../apache/ofbiz/webapp/control/ControlFilter.java | 45 +++++++++++-----------
.../ofbiz/webapp/control/ControlFilterTests.java | 16 ++++----
2 files changed, 30 insertions(+), 31 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index a41b928e6c..ec4c88a9f1 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -170,33 +170,32 @@ public class ControlFilter extends HttpFilter {
String context = req.getContextPath();
HttpSession session = req.getSession();
- // Prevents stream exploitation
-
if (!isControlFilterTests()) {
+ // Prevents stream exploitation
UrlServletHelper.setRequestAttributes(req, null,
req.getServletContext());
- }
- Map<String, Object> parameters = UtilHttp.getParameterMap(req);
- boolean reject = false;
- if (!parameters.isEmpty()) {
- for (String key : parameters.keySet()) {
- Object object = parameters.get(key);
- if (object.getClass().equals(String.class)
- || object instanceof Collection) {
- try {
- List<String> toCheck =
object.getClass().equals(String.class)
- ? List.of((String) object)
- : UtilGenerics.checkCollection(object,
String.class);
- reject = toCheck.stream()
- .anyMatch(val -> val.contains("<"));
- } catch (IllegalArgumentException e) {
- Debug.logWarning(e, MODULE);
- reject = true;
+ Map<String, Object> parameters = UtilHttp.getParameterMap(req);
+ boolean reject = false;
+ if (!parameters.isEmpty()) {
+ for (String key : parameters.keySet()) {
+ Object object = parameters.get(key);
+ if (object.getClass().equals(String.class)
+ || object instanceof Collection) {
+ try {
+ List<String> toCheck =
object.getClass().equals(String.class)
+ ? List.of((String) object)
+ :
UtilGenerics.checkCollection(object, String.class);
+ reject = toCheck.stream()
+ .anyMatch(val -> val.contains("<"));
+ } catch (IllegalArgumentException e) {
+ Debug.logWarning(e, MODULE);
+ reject = true;
+ }
}
}
- }
- if (reject) {
- Debug.logError("For security reason this URL is not accepted",
MODULE);
- throw new RuntimeException("For security reason this URL is
not accepted");
+ if (reject) {
+ Debug.logError("For security reason this URL is not
accepted", MODULE);
+ throw new RuntimeException("For security reason this URL
is not accepted");
+ }
}
}
diff --git
a/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
b/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
index d4921370bf..7858a3b29e 100644
---
a/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
+++
b/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/ControlFilterTests.java
@@ -58,7 +58,7 @@ public class ControlFilterTests {
@Test
public void filterWithExactAllowedPath() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
when(req.getRequestURI()).thenReturn("/servlet/bar");
@@ -72,7 +72,7 @@ public class ControlFilterTests {
@Test
public void filterWithAllowedSubPath() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
when(req.getRequestURI()).thenReturn("/servlet/bar/baz");
@@ -86,7 +86,7 @@ public class ControlFilterTests {
@Test
public void filterWithRedirection() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
when(config.getInitParameter("allowedPaths")).thenReturn("/bar:/baz");
when(req.getRequestURI()).thenReturn("/missing/path");
@@ -99,7 +99,7 @@ public class ControlFilterTests {
@Test
public void filterWithURIredirection() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("http://example.org/foo";);
when(config.getInitParameter("allowedPaths")).thenReturn("/foo:/bar");
when(req.getRequestURI()).thenReturn("/baz");
@@ -112,7 +112,7 @@ public class ControlFilterTests {
@Test
public void bailsOutWithVariousErrorCodes() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
when(req.getRequestURI()).thenReturn("/baz");
@@ -143,7 +143,7 @@ public class ControlFilterTests {
@Test
public void redirectAllAllowed() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("/bar");
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -157,7 +157,7 @@ public class ControlFilterTests {
@Test
public void redirectAllNotAllowed() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("/bar");
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
@@ -171,7 +171,7 @@ public class ControlFilterTests {
@Test
public void redirectAllRecursive() throws Exception {
- System.setProperty("ControlFilterTests", "runsAfterControlFilter");
+ System.setProperty("ControlFilterTests",
"bypassPreventsStreamExploitation");
when(config.getInitParameter("redirectPath")).thenReturn("/foo");
when(config.getInitParameter("forceRedirectAll")).thenReturn("Y");
when(config.getInitParameter("allowedPaths")).thenReturn("/foo");
