This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 63201f5228 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
63201f5228 is described below
commit 63201f5228bf5f44b9c3c65381d2c597fe829118
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Oct 23 16:48:20 2024 +0200
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Allows Solr tests to pass, so far so good...
---
.../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index d7f8b5cd83..a4122fdcf2 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -170,9 +170,11 @@ public class ControlFilter extends HttpFilter {
String queryString = req.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
+ // wt=javabin allows Solr tests, see
https://cwiki.apache.org/confluence/display/solr/javabin
if (UtilValidate.isUrl(queryString)
- || (!SecuredUpload.isValidText(queryString,
Collections.emptyList())
- &&
!queryString.contains("JavaScriptEnabled=Y"))) {
+ || !SecuredUpload.isValidText(queryString,
Collections.emptyList())
+ &&
!(queryString.contains("JavaScriptEnabled=Y")
+ ||
queryString.contains("wt=javabin"))) {
Debug.logError("For security reason this URL is not
accepted", MODULE);
throw new RuntimeException("For security reason this URL
is not accepted");
}
