This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 84ff5ee6f2 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
84ff5ee6f2 is described below
commit 84ff5ee6f25605c48d11c84794fcfd959c7334fa
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Oct 23 14:22:39 2024 +0200
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Allows JavaScriptEnabled=Y to pass.
Conflict handled by hand
---
.../src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index db157a6d26..ca96be12e6 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -142,7 +142,9 @@ public class ControlFilter implements Filter {
String queryString = httpRequest.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
- if (UtilValidate.isUrl(queryString) ||
!SecuredUpload.isValidText(queryString, Collections.emptyList())) {
+ if (UtilValidate.isUrl(queryString)
+ || (!SecuredUpload.isValidText(queryString,
Collections.emptyList())
+ &&
!queryString.contains("JavaScriptEnabled=Y"))) {
Debug.logError("For security reason this URL is not
accepted", module);
throw new RuntimeException("For security reason this URL
is not accepted");
}
