This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 006ce17 Fixed: post-auth Remote Code Execution Vulnerability
(OFBIZ-12332)
006ce17 is described below
commit 006ce17647f591fc90aa64a46856e5c1d2b9597a
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Oct 10 11:24:55 2021 +0200
Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it
was
actually "/control/xmlrpc"
---
.../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
index de15e3f..b2f0514 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java
@@ -57,7 +57,7 @@ public class CacheFilter implements Filter {
String uriWithContext = ((HttpServletRequest) request).getRequestURI();
String uri = uriWithContext.substring(context.length());
- if ("xmlrpc".equals(uri.toLowerCase())) {
+ if ("/control/xmlrpc".equals(uri.toLowerCase())) {
// Read request.getReader() as many time you need
request = new RequestWrapper((HttpServletRequest) request);
String body =
request.getReader().lines().collect(Collectors.joining());
