(ofbiz-framework) branch trunk updated: Improved: Refactor ControlFilter class without functional changes (OFBIZ-13213)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 17b9ac44de Improved: Refactor ControlFilter class without functional 
changes (OFBIZ-13213)
17b9ac44de is described below

commit 17b9ac44de649a50ccb1510b3ed1b5b7df6939d3
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 28 12:04:52 2025 +0100

    Improved: Refactor ControlFilter class without functional changes 
(OFBIZ-13213)
    
    Better groups the functionalities and comment them for an easier readability
---
 .../apache/ofbiz/webapp/control/ControlFilter.java  | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 6b0cef5f12..5ba06ae4e6 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -185,14 +185,21 @@ public class ControlFilter extends HttpFilter {
             String uriWithContext = 
StringEscapeUtils.unescapeHtml4(URLDecoder.decode(req.getRequestURI(), 
"UTF-8"));
             String uri = uriWithContext.substring(context.length());
 
+
+            //// Block with several steps for rejecting wrong URLs, allowing 
specific ones
+
+            // Allows UEL and FlexibleString (OFBIZ-12602). Also allows 
SolrTest to pass. No need to check these URLs
             GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
-            if (!LoginWorker.hasBasePermission(userLogin, req)) { // Allows 
UEL and FlexibleString (OFBIZ-12602)
-                if (isSolrTest() && 
SecuredFreemarker.containsFreemarkerInterpolation(req, resp, uri)) {
-                    return;
-                }
+            if (!LoginWorker.hasBasePermission(userLogin, req) || 
isSolrTest()) {
+                return;
             }
 
-            // Reject wrong URLs
+            // Reject Freemarker interpolation in URL
+            if (SecuredFreemarker.containsFreemarkerInterpolation(req, resp, 
uri)) {
+                return;
+            }
+
+            // Reject insecure URLs
             String queryString = null;
             try {
                 queryString = new URI(uriWithContext).getQuery();
@@ -201,12 +208,10 @@ public class ControlFilter extends HttpFilter {
                 Debug.logError("Weird URI: " + e, MODULE);
                 throw new RuntimeException(e);
             }
-
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
                 if (UtilValidate.isUrlInString(queryString)
-                        || 
!SecuredUpload.isValidText(queryString.toLowerCase(), ALLOWEDTOKENS, true)
-                                && isSolrTest()) {
+                        || 
!SecuredUpload.isValidText(queryString.toLowerCase(), ALLOWEDTOKENS, true)) {
                     Debug.logError("For security reason this URL is not 
accepted", MODULE);
                     throw new RuntimeException("For security reason this URL 
is not accepted");
                 }