(ofbiz-framework) branch trunk updated: Fixed: OFBiz entity import screen is broken (OFBIZ-13308)

Mon, 27 Oct 2025 10:09:40 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 3bb162ad37 Fixed: OFBiz entity import screen is broken (OFBIZ-13308)
3bb162ad37 is described below

commit 3bb162ad37684bc035c9c9273f98d6cde0e11808
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Oct 27 17:57:06 2025 +0100

    Fixed: OFBiz entity import screen is broken (OFBIZ-13308)
    
    The fix is easy, just bypass the "Prevents stream exploitation" block like 
for
    ControlFilterTests.
    
    As the fix bypasses this block I have also checked that the
    "webtools/control/entityImport" URI can't be used for another possible
    vulnerability, either with or w/o  entity-engine XML data in "fulltext" 
area.
    
    In these cases the message "EntityImportNoXmlFileSpecified"
    (ie <<No filename/URL or complete XML document specified, doing nothing.>>)
    is showed below the "fulltext" area. In other words the "Import Text" button
    must be used, using the URI only does nothing but showing the page.
    
    Thanks: Deepak for report
---
 .../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index ec4c88a9f1..eb67e8ce7a 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -169,8 +169,9 @@ public class ControlFilter extends HttpFilter {
     public void doFilter(HttpServletRequest req, HttpServletResponse resp, 
FilterChain chain) throws IOException, ServletException {
         String context = req.getContextPath();
         HttpSession session = req.getSession();
+        boolean isEntityImport = 
req.getRequestURI().equals("/webtools/control/entityImport");
 
-        if (!isControlFilterTests()) {
+        if (!(isControlFilterTests() || isEntityImport)) {
             // Prevents stream exploitation
             UrlServletHelper.setRequestAttributes(req, null, 
req.getServletContext());
             Map<String, Object> parameters = UtilHttp.getParameterMap(req);

Reply via email to