(ofbiz-framework) branch release18.12 updated: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Fri, 08 Nov 2024 07:36:56 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new de26aaebb4 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
de26aaebb4 is described below

commit de26aaebb484c7fdfe84b0efff52f31f8db5be8b
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Nov 8 12:02:20 2024 +0100

    Improved: Prevent URL parameters manipulation (OFBIZ-13147)
    
    With previous commits I put changes tests in ControlFilter.java that are no
    longer needed. So this removes the whole block. A better solution will be 
tested
    in trunk and hopefully backported later.
---
 .../org/apache/ofbiz/webapp/control/ControlFilter.java    | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 7dbb6c3b72..8f0a984a4e 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -21,8 +21,6 @@ package org.apache.ofbiz.webapp.control;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.URLDecoder;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -36,9 +34,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.ofbiz.base.util.Debug;
-import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.entity.GenericValue;
-import org.apache.ofbiz.security.SecuredUpload;
 import org.apache.ofbiz.security.SecurityUtil;
 
 /*
@@ -143,17 +139,6 @@ public class ControlFilter implements Filter {
 
             // Reject wrong URLs
             if 
(!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
-            String queryString = httpRequest.getQueryString();
-            if (queryString != null) {
-                queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || !SecuredUpload.isValidText(queryString, 
Collections.emptyList())
-                        && isSolrTest()) {
-                    Debug.logError("For security reason this URL is not 
accepted", module);
-                    throw new RuntimeException("For security reason this URL 
is not accepted");
-                }
-            }
-
                 try {
                     String url = new URI(((HttpServletRequest) 
request).getRequestURL().toString())
                             .normalize().toString()

Reply via email to