[ofbiz-framework] branch release18.12 updated: Fixed: XML Import fails due to security check (OFBIZ-12602)

Wed, 20 Apr 2022 05:17:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 5cc45e8701 Fixed: XML Import fails due to security check (OFBIZ-12602)
5cc45e8701 is described below

commit 5cc45e8701b4b0a1c52ba4308b44f6cf2f6b5d39
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Apr 20 14:10:49 2022 +0200

    Fixed: XML Import fails due to security check (OFBIZ-12602)
    
    When importing an entity with "${" in for at least an element it's rejected
    because of the security check done to protect from Freemarker unauth attacks
    (see OFBIZ-12594).
    
    As suggested by Ingo, allowing users with appropriate permissions seems an
    usable solution. We still need to define the "appropriate permissions".
    We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add
    others later if they ever come.
    
    Thanks: Ingo Wolfmayr for report and suggestion
---
 .../java/org/apache/ofbiz/webapp/control/ControlFilter.java  | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 5b991355b6..e298f3fd93 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -134,10 +134,14 @@ public class ControlFilter implements Filter {
             if (offset == -1) {
                 offset = requestUri.length();
             }
-            if 
(!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
-                    && null == System.getProperty("SolrDispatchFilter") // 
Allows Solr tests
-                    && 
SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse, 
requestUri)) {
-                return;
+
+            GenericValue userLogin = (GenericValue) 
httpRequest.getSession().getAttribute("userLogin");
+            if (!LoginWorker.hasBasePermission(userLogin, httpRequest)) { // 
Allows UEL and FlexibleString (OFBIZ-12602)
+                if 
(!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
+                        && null == System.getProperty("SolrDispatchFilter") // 
Allows Solr tests
+                        && 
SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse, 
requestUri)) {
+                    return;
+                }
             }
 
             while (!allowedPaths.contains(requestUri.substring(0, offset))) {

Reply via email to