This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 94e40f9862 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
94e40f9862 is described below
commit 94e40f98620d0a98ea96af49209e4b303a1c925c
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Oct 23 16:48:20 2024 +0200
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Allows Solr tests to pass, so far so good...
Conflict handled by hand
---
.../main/java/org/apache/ofbiz/webapp/control/ControlFilter.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index ca96be12e6..8d56123775 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -142,9 +142,11 @@ public class ControlFilter implements Filter {
String queryString = httpRequest.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
+ // wt=javabin allows Solr tests, see
https://cwiki.apache.org/confluence/display/solr/javabin
if (UtilValidate.isUrl(queryString)
- || (!SecuredUpload.isValidText(queryString,
Collections.emptyList())
- &&
!queryString.contains("JavaScriptEnabled=Y"))) {
+ || !SecuredUpload.isValidText(queryString,
Collections.emptyList())
+ &&
!(queryString.contains("JavaScriptEnabled=Y")
+ ||
queryString.contains("wt=javabin"))) {
Debug.logError("For security reason this URL is not
accepted", module);
throw new RuntimeException("For security reason this URL
is not accepted");
}
