This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release22.01 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push: new aead955798 Fixed: XML Import fails due to security check (OFBIZ-12602) aead955798 is described below commit aead9557982bc17705e39a11a53ae21878a4b0b6 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Wed Apr 20 13:56:25 2022 +0200 Fixed: XML Import fails due to security check (OFBIZ-12602) When importing an entity with "${" in for at least an element it's rejected because of the security check done to protect from Freemarker unauth attacks (see OFBIZ-12594). As suggested by Ingo, allowing users with appropriate permissions seems an usable solution. We still need to define the "appropriate permissions". We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add others later if they ever come. Thanks: Ingo Wolfmayr for report and suggestion --- .../java/org/apache/ofbiz/webapp/control/ControlFilter.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java index b0e57181a2..302df37f51 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java @@ -149,11 +149,14 @@ public class ControlFilter extends HttpFilter { String uriWithContext = req.getRequestURI(); String uri = uriWithContext.substring(context.length()); + GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); - if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests") - && null == System.getProperty("SolrDispatchFilter") // Allows Solr tests - && SecurityUtil.containsFreemarkerInterpolation(req, resp, uri)) { - return; + if (!LoginWorker.hasBasePermission(userLogin, req)) { // Allows UEL and + if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests") + && null == System.getProperty("SolrDispatchFilter") // Allows Solr tests + && SecurityUtil.containsFreemarkerInterpolation(req, resp, uri)) { + return; + } } // Check if the requested URI is allowed.