(ofbiz-framework) branch release18.12 updated: Fixed: Prevent URL parameters manipulation (OFBIZ-13147)

Thu, 10 Oct 2024 00:32:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new acd64dd411 Fixed: Prevent URL parameters manipulation (OFBIZ-13147)
acd64dd411 is described below

commit acd64dd411808d7a252ae24d518f6ff113cf896f
Author: Jacques Le Roux <[email protected]>
AuthorDate: Thu Oct 10 08:56:52 2024 +0200

    Fixed: Prevent URL parameters manipulation (OFBIZ-13147)
    
    Solution: Reject URLs with an URL in query string
    
    Conflicts handled by hand
---
 .../java/org/apache/ofbiz/webapp/control/ControlFilter.java   | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index dc02f763f1..e85f2d899b 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -21,6 +21,7 @@ package org.apache.ofbiz.webapp.control;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URLDecoder;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -34,6 +35,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.ofbiz.base.util.Debug;
+import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.entity.GenericValue;
 import org.apache.ofbiz.security.SecurityUtil;
 
@@ -135,6 +137,15 @@ public class ControlFilter implements Filter {
 
             // Reject wrong URLs
             if 
(!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
+                String queryString = httpRequest.getQueryString();
+                if (queryString != null) {
+                    queryString = URLDecoder.decode(queryString, "UTF-8");
+                    if (UtilValidate.isUrl(queryString)) {
+                        Debug.logError("For security reason this URL is not 
accepted", module);
+                        throw new RuntimeException("For security reason this 
URL is not accepted");
+                    }
+                }
+
                 try {
                     String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString())
                             .normalize().toString()

Reply via email to