(ofbiz-framework) branch release24.09 updated: Fixed: OFBiz entity import screen is broken (OFBIZ-13308)

Mon, 27 Oct 2025 10:09:36 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 13e4b6c180 Fixed: OFBiz entity import screen is broken (OFBIZ-13308)
13e4b6c180 is described below

commit 13e4b6c1800356cb4811af5fec9878d16f1c00e8
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Oct 27 17:57:06 2025 +0100

    Fixed: OFBiz entity import screen is broken (OFBIZ-13308)
    
    The fix is easy, just bypass the "Prevents stream exploitation" block like 
for
    ControlFilterTests.
    
    As the fix bypasses this block I have also checked that the
    "webtools/control/entityImport" URI can't be used for another possible
    vulnerability, either with or w/o  entity-engine XML data in "fulltext" 
area.
    
    In these cases the message "EntityImportNoXmlFileSpecified"
    (ie <<No filename/URL or complete XML document specified, doing nothing.>>)
    is showed below the "fulltext" area. In other words the "Import Text" button
    must be used, using the URI only does nothing but showing the page.
    
    Thanks: Deepak for report
    
    Conflict handled by hand
---
 .../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 6aeb2edb3f..0201d92b03 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -173,8 +173,9 @@ public class ControlFilter extends HttpFilter {
     public void doFilter(HttpServletRequest req, HttpServletResponse resp, 
FilterChain chain) throws IOException, ServletException {
         String context = req.getContextPath();
         HttpSession session = req.getSession();
+        boolean isEntityImport = 
req.getRequestURI().equals("/webtools/control/entityImport");
 
-        if (!(isSolrTest() || isControlFilterTests())) {
+        if (!(isSolrTest() || isControlFilterTests() || isEntityImport)) {
             // Prevents stream exploitation
             UrlServletHelper.setRequestAttributes(req, null, 
req.getServletContext());
             Map<String, Object> parameters = UtilHttp.getParameterMap(req);

Reply via email to